ACOS 4.1.1-P13 Release Notes: For A10 Thunder Series 16 March 2020

ACOS 4.1.
1-P13
Release Notes
for A10 Thunder® Series
16 March 2020
© 2020 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual patent marking provi-
sions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Networks' products, including all Thunder
Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed,
copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc.
A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confidential
information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in this document
or available separately. Customer shall not:
1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any means.
2. Sub-license, rent, or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fit-
ness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this pub-
lication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be
available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and ser-
vices are subject to A10 Networks’ standard terms and conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufac-
turer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks location, which can be
found by visiting www.a10networks.com.
Table of Contents
Changes to Default Behavior ................................................................................................. 15

Default Behavior Changes Between ACOS 4.1.1-P9 and ACOS 4.1.1-P10 .........................15
External Health Monitor Script Access .................................................................................................. 15
Default Behavior Changes Between ACOS 4.1.1-P3 and ACOS 4.1.1-P4............................16
Support for Downgrading or Disabling the TLS or SSL Version ........................................................ 16
Default Behavior Changes Between ACOS 4.1.1-P2 and ACOS 4.1.1-P3............................17
Session Capacity of SLB Real Servers and Ports Increased to 64 Million Sessions .................... 17
aXAPI Configuration Field Name Changed From v3_req to v3-request .......................................... 17
aXAPI Configuration Flag Fields Modified in Schema for slb.template.client-ssl ......................... 18
Default Behavior Changes Introduced in ACOS 4.1.1-P2 .....................................................19
Default Enabled Cipher Suites Update ................................................................................................... 20
NTP Server Default Ports Update ........................................................................................................... 20
Support for the Signature Algorithms List in the SSL/TLS Handshake ........................................... 20
Enabling Gateway Traps ........................................................................................................................... 21
Global Monitoring Template Configuration ........................................................................................... 21
Deprecated ipv4-list and ipv6-list Options for RADIUS Remote Server ........................................... 21
WAF Policy File Size Limit Increased to 10MB ..................................................................................... 22
Deprecated ip-map-list Commands ....................................................................................................... 22
Deprecated License Option in the Import Command ......................................................................... 22
Deprecated Export-periodic Command ................................................................................................. 22
System Template Monitor Command is Changed to System Template-bind Monitor ................ 22
Show Run Command is Modified to Not Show Default Values ........................................................ 23
Default Behavior Changes Between ACOS 4.1.x and ACOS 4.1.1 .......................................23
Use of Special Characters for Object Names ....................................................................................... 23
Explicit HTTP-Proxy Configuration and Class-Lists Change ............................................................. 23
General GUI Support .................................................................................................................................. 24
vThunder ADC License Expiration Behavior .......................................................................................... 24
Legacy Proxy Chaining Configuration .................................................................................................... 24
Upgrading to 4.1.1 Might Cause a Web-Category License to Become Corrupt ............................. 24
VRID Default ................................................................................................................................................ 25
Tunnel-Endpoint-Address ......................................................................................................................... 25
LOM Interface CLI Changes ..................................................................................................................... 25
GSLB aXAPI Policy Parameters ............................................................................................................... 25
Default Behavior Changes Between ACOS 4.1.0-P2 and ACOS 4.1.1 .................................25
Configuring Trunk IDs ................................................................................................................................ 26
Web Category BrightCloud Server Query Timeout Default Changed ............................................... 26
AAM Authentication Template Name Supports 127 Characters ...................................................... 26
Default Contents of Exported AX Debug Files are Changed ............................................................. 26
Selecting Multiple Class-lists in an SLB Policy Template ................................................................... 26
page 3
ACOS 4.1.1-P13 Release Notes
Contents
Viewing Resource Usage Statistics ........................................................................................................ 27

Default Behavior Changes from ACOS 4.1.0-P2 to ACOS 4.1.0-P3 .....................................27
Default TLS Version and Behavioral Changes for Server SSL .......................................................... 28
Default Behavior Changes Between ACOS 4.1.0 and ACOS 4.1.0-P2 .................................30
TCP Proxy Retransmission Retries Default Changed ......................................................................... 31
Default Value Changed for receive-buffer and transmit-butter in TCP-Proxy Template ............... 31
Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0.......................................31
Spaces in VIP Names are Not Supported ............................................................................................. 32
Viewing the Active Device Statistics in aVCS Configurations ........................................................... 32
SNMP CLI Changes ................................................................................................................................... 32
Show class-list Command Change ........................................................................................................ 32
Initial TCP Congestion Window ............................................................................................................... 32
dns-cache-enable round-robin Command Change ............................................................................. 33
Deprecated CLI Commands ..................................................................................................................... 33
Enhanced Black/White List Error Parsing Behavior ............................................................................ 33
Webroot and ThreatSTOP Licensing Behavior ..................................................................................... 33
Changes to Formatting of NetFlow Records for Long-lived Sessions ............................................ 34
Details .................................................................................................................................................... 34
Samples NetFlow Records Using the Old Formatting Approach ............................................... 34
Samples NetFlow Records Using the New Formatting Approach ............................................ 35
Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1 ..........................................35
AAM SSL Client Certificate Authentication via LDAP .......................................................................... 36
VRRP-A CLI Changes ................................................................................................................................. 36
Disable VRRP-A ................................................................................................................................... 37
Force-Self-Standby .............................................................................................................................. 37
Persistent Force-Self-Standby .......................................................................................................... 37
VRID Fail-Over Policy Template ........................................................................................................ 37
VRID Priority ......................................................................................................................................... 38
VRID Tracking Options ....................................................................................................................... 38
Overlay CLI Changes ................................................................................................................................. 39
Show Overlay Configuration .............................................................................................................. 39
CGNv6 DDoS IP Anomaly Checks ........................................................................................................... 39
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases...........40
Discontinued and No Longer Supported Configuration Parameters ............................................... 40
Default Behaviors for Private Partitions ................................................................................................ 41
Only L3V Partitions are Supported ................................................................................................... 41
Partition IDs are Mandatory .............................................................................................................. 41
Unloading and Deleting a Partition .................................................................................................. 41
New Show Commands in the CLI .................................................................................................... 42
Partitions are SLB or CGN-specific .................................................................................................. 42
Configuring High Availability .................................................................................................................... 42
Admin Roles ................................................................................................................................................ 42
End-user Scripts Must Add Delay for SLB Policy Templates ............................................................. 43
Interfaces are Disabled by Default .......................................................................................................... 43
Confirming Hardware-based Compression Support .......................................................................... 44
Rate Limit Neighbor Discovery Messages for IPv6 ............................................................................. 45
page 4
Contents
IP-anomaly Filtering ................................................................................................................................... 45

Applying Global Link Monitoring Templates ......................................................................................... 45
Memory Usage and Data CPU Statistics Display in GUI .................................................................... 45
Default Behavior of Layer 2 Handling on the Default VLAN ............................................................... 45
Specifying the Logging Severity Level .................................................................................................... 46
NTP Server Default Ports ......................................................................................................................... 46
Disable Audit Logging Not Saved to the Running Config ................................................................... 46
Upgrading From 2.7.2 to 4.X Causes MTU Configuration to be Lost ............................................... 46
What’s New ............................................................................................................................ 51

ACOS 4.1.1-P13 New Features ..............................................................................................51
Network Enhancements ........................................................................................................................... 52
Same Service-group Binding on Different “no-dest-nat”(DSR) Virtual Ports ............................ 52
Application Access Management Enhancements .............................................................................. 54
Selective External Health Monitor Access ...................................................................................... 54
SSLi Enhancements ................................................................................................................................... 54
SSLi Connection Buffering During Certificate Fetching and Forging ........................................ 55
Platform Enhancements ........................................................................................................................... 55
TACACS Server Number Increment and the Limitation ............................................................... 56
Known Issues or Limitations ............................................................................................................ 56
Scenario ................................................................................................................................................ 56
Important .............................................................................................................................................. 56
ACOS 4.1.1-P9 New Features ................................................................................................56
Layer 2/3 Routing Enhancements .......................................................................................................... 57
Management Services Command Precedence ............................................................................ 57
SLB Enhancements ................................................................................................................................... 58
TCP “Loose Close” ............................................................................................................................... 58
Health Monitor Enhancements ............................................................................................................... 58
Compound Health Monitor Bound to Service-group with DSCP ................................................ 58
Health Monitor UP and DOWN Statuses ........................................................................................ 59
SSLi Enhancements ................................................................................................................................... 60
Support for SSH Insight ..................................................................................................................... 61
Support for SSLi Exception Lists Based on Certificate Subject or Issuer ................................ 61
IP-less SSLI OCSP request support for Layer-2 mode ................................................................. 61
Support for IP-less Single Partition SSLi ........................................................................................ 62
Friendly Response Block/Failure Page for SSLi ............................................................................ 62
SSLi - ICAP Only send allowed HTTP methods logs .................................................................... 63
Support for Revoking Certificate From the Cache and Generating CRL .................................. 65
Support for Dropping, Rejecting, or Forwarding Connections Based on EKU Fields for Certifi-
cates ...................................................................................................................................................... 65
System Log Enhancements ..................................................................................................................... 65
System Local Log Limit ...................................................................................................................... 65
page 5
Contents

String Length for TCP Health Monitors Increased to 512 Characters ...................................... 66
Support for HTTP 1.1 for OCSP Requests ..................................................................................... 66
Log Message for Service Group Member Activity ........................................................................ 67
Support for TCP MSS Clamping on Gi-FW Sessions ................................................................... 67
Support for Disabling ICAP Based on HTTP Header Using afleX .............................................. 68
Support for Web Category Lookup using aFleX ............................................................................ 69
Support for New Interface Types for ip mgmt-traffic ................................................................... 72
High Availability Migration Support ................................................................................................. 73
Support for SSLi Forward Proxy Bypass Exception List .............................................................. 74
Harmony Controller Enhancements ....................................................................................................... 76
Ongoing Sync for Objects and Devices ........................................................................................... 77
Object Registration for ADC or CGN ................................................................................................ 77
Thunder Device Registration ............................................................................................................. 77
Telemetry for ADC Metrics Generation to Kafka/Avro ................................................................. 77
Telemetry for Object UUID Sync on Thunder Clusters ................................................................. 77
Configuration Manager Enhancements ................................................................................................. 77
Providing Valid JSON Response on Successful API Upgrade .................................................... 78
New SNMP Object for Firewall Global Statistics ........................................................................... 78
New SNMP Object for Firewall Full-Cone Sessions ..................................................................... 78
New SNMP Object for Firewall System Status .............................................................................. 79
GUI Enhancements .................................................................................................................................... 79
Single Sign-on Support from Harmony Controller GUI to the Thunder ADC GUI .................... 79
SSL Version Filtering for SSLi Through GUI ................................................................................... 79
Harmony Controller Registration Through GUI ............................................................................. 79
Licensing Enhancements ......................................................................................................................... 79
Capacity Pool License Model for vThunder and Bare Metal ....................................................... 79
Network Management System Enhancements ................................................................................... 81
Clearing Unused Real Server Ports .................................................................................................. 81
SSL Insight (SSLi) Enhancements .......................................................................................................... 81
Dynamic Port Inspection Based on DSCP ...................................................................................... 81
SSL Insight (SSLi) Enhancements .......................................................................................................... 82
L2 Insertion Single-partition SSLi Deployments ............................................................................ 82
Dynamic Port SSLi without A10-FP Header ................................................................................... 82
FIPS 140-2 Level 2 Enhancements ......................................................................................................... 83
Support for FIPS Level 2 .................................................................................................................... 83
Security Enhancements ............................................................................................................................ 83
ECDHE and ECDSA Cipher Suite Support for FIPS Platforms .................................................... 83
Application Access Management (AAM) Enhancements .................................................................. 84
Maximum Form-based Relay Collection Size Command ........................................................... 85
Clear Reverse DNS Cache Command ............................................................................................. 85
page 6
Contents
RSA Custom Challenge Form ........................................................................................................... 85

Configuration Management Enhancements ........................................................................................ 86
Proceed with CLI Deployment Through Any Warnings ................................................................ 86
Multi-part Response for CLI Deployment Errors ........................................................................... 86
Traceroute and Ping Using CLI Deployment .................................................................................. 87
Ability to Bypass Confirmation for Certain CLI Commands ....................................................... 88
Logging Enhancements ..................................................................................................................... 88
Application Delivery Controller (ADC) Enhancements ........................................................................ 88
Maintain UDP Sessions When a Real Server Goes Down ........................................................... 88
Limit (ID Action) in Policy Template Class Lists ............................................................................ 89
Third Generation SSL Card Support ................................................................................................ 89
Configurable idle-timeout for TCP, UDP, and TCP-Proxy on Fast-Path Configurations .......... 89
Hardware Blocking Unconfigured Virtual Port Traffic .................................................................. 90
Assigning Stateless Service Groups to Multiple Entities – L2DSR ............................................ 90
Assigning Stateless Service Groups to Multiple Entities – L3DSR ............................................ 90
Assigning Stateless Service Groups to Multiple Entities in L3DSR IP Tunneling Configs ..... 90
TCP and UDP Idle-timeout Implementation ................................................................................... 90
GiFW Enhancements ................................................................................................................................. 91
Support for ASCII Format Log Messages for GiFW ..................................................................... 91
Hairpinning Support for GiFW ........................................................................................................... 92
HTTP Logging Support for GiFW ..................................................................................................... 92
Include RADIUS Attributes in GiFW Logs ........................................................................................ 92
Additional show commands for GiFW ............................................................................................ 93
Support Framed-IPv6-Prefix as Key Attribute in RADIUS Table ................................................. 93
Support for TCP Logging for GiFW .................................................................................................. 94
IPv6 Migration (CGN) Enhancements .................................................................................................... 94
Extend CGN TCP/UDP Idle-timeout for NAT Sessions ................................................................ 94
Expand Maximum Number of Entries in CGN RADIUS Table ..................................................... 94
Delete RADIUS Accounting-On Request for CGN ......................................................................... 95
Include Byte Count in CGN Logging for TCP/UDP Traffic ........................................................... 95
Increase Maximum Number of HTTP Logging ............................................................................. 95
Include All Configured HTTP Header Names in CGN Log Messages ....................................... 95
Include File Extension of HTTP URI in CGN HTTP Logging ........................................................ 96
Disable RADIUS Accounting Response Packet in CGN Logging with Toggle Option ............ 96
Support for Port Batching v2 ............................................................................................................ 96
Layer 2/3 Routing Enhancements .......................................................................................................... 97
Load Balancing for Layer 2 Switched Packets on Trunk Interfaces .......................................... 97
Monitoring Enhancements ....................................................................................................................... 97
Logging Severity Change for Log Fields ......................................................................................... 97
Platform Enhancements ........................................................................................................................... 97
COTS Bare Metal Enhancements ..................................................................................................... 98
Cloud Enhancements ................................................................................................................................ 98
Backup and Restore Functionality ................................................................................................... 98
Setting Maximum Upper Limit of Cores for I/O Processing ....................................................... 98
vThunder for KVM (Virtio) Support for System Poll Mode .......................................................... 99
vThunder for KVM (Virtio) Support for OvS-DPDK ........................................................................ 99
Web Application Firewall (WAF) Enhancements .................................................................................. 99
page 7
Contents
WAF Policies File Size Limit Increase ............................................................................................100

SSL Insight (SSLi) Enhancements ........................................................................................................100
SSLi - ICAP Re-encrypt to Receive X-Protocol and X-Port Headers .........................................100
Enhancement to SSLi Failure Log ..................................................................................................101
CGN Enhancements ................................................................................................................................101
PCP DS-LITE Support for IPv6 Request with Third-party Option .............................................101
Enhancement to ECMP Hashing ....................................................................................................101
ACOS 4.1.1 New Features ....................................................................................................102
System Configuration and Administration ..........................................................................................102
New SNMP Object for Real Server Weight ...................................................................................103
New SNMP Object for Total Interface Throughput .....................................................................103
New SNMP Object for Disabled Real Servers ..............................................................................103
New SNMP Object for Gateway Health-Check Failure ...............................................................103
Partition-aware SNMP Configuration ............................................................................................104
Remove the Partition Name from Log Messages ......................................................................104
Sending Log Messages to a Server in Another Partition ...........................................................105
Resource Accounting for System Resources ..............................................................................105
Enhanced Output for the show resource-accounting Command ............................................106
Dynamic Deep Packet for Micro Burst Traffic .............................................................................106
DNS Lookup Enhancement Over the Management Port ...........................................................106
MIB Support to show total performance across each partition ..............................................106
Network Configuration ............................................................................................................................107
Trunk ID Enhancement .....................................................................................................................107
Tunnel Name Enhancement ...........................................................................................................107
IP Reroute Protocol Suppression ...................................................................................................107
VRRP-A High Availability .........................................................................................................................107
Viewing Information for all VRIDs ..................................................................................................108
Viewing Information for VRIDs per Partition ................................................................................108
Viewing Config Sync Status in CLI and aXAPI .............................................................................108
Application Delivery Partitions ...............................................................................................................108
Partition Customizable SNMP Community Strings ....................................................................108
Admin and Application Access Security Enhancements .................................................................109
Explicit Proxy Authentication Support ...........................................................................................109
LDAP Partition Awareness ..............................................................................................................109
aFleX Enhancements ..............................................................................................................................109
Increased aFleX Log Message Length ..........................................................................................110
Increased aFleX Session Table Entries .........................................................................................110
Enhancement to the aFleX HTTP::redirect Command ...............................................................110
Output for show running-config Command Shows all aFleX Scripts .....................................111
Multiple aFleX Policies Bound to one Virtual Port ......................................................................111
Enhancements to the RESOLVE::lookup Command ...................................................................112
Increase to aFleX Display Field Size ..............................................................................................112
aFleX Event LB_FAILED Enhanced .................................................................................................112
Binding aFleX Scripts Under FTP-Proxy Virtual Ports ................................................................112
TCP::Payload Replace Enhanced for TCP and FTP Virtual Ports ............................................113
Gi/SGi-Firewall Enhancements ..............................................................................................................113
page 8
Contents
Displaying or Clearing Firewall Helper Sessions .........................................................................113

Firewall Rule-set for Gi/SGi-FW ......................................................................................................113
Firewall Logging Template ..............................................................................................................113
CEF Format Support for CGN Traffic Logging .............................................................................114
DC-Firewall Enhancements ....................................................................................................................114
Support for Port-based Idle Time Outs .........................................................................................114
Multiple Src/Dst/Service Objects in a Single Rule ......................................................................115
System Resource Connections-per-Second Limits for Firewall ............................................116
Local Type Zone Enhancements ....................................................................................................116
vThunder Enhancements .......................................................................................................................117
VMXNET3 Network Adapter for Multiple Interfaces ..................................................................117
System Poll Mode .............................................................................................................................117
vThunder for OpenStack ..................................................................................................................118
Instructions for Running vThunder on OpenStack .....................................................................118
Thunder HVA Enhancements ................................................................................................................119
Jumbo Frame Support for vThunder Instances on HVA ...........................................................119
Assigning a Static Management IP to vThunder Instances on HVA .......................................120
LACP Support for vThunder Instances on HVA ..........................................................................120
SSL Insight (SSLi) Enhancements ........................................................................................................120
New CSR Digests ..............................................................................................................................121
SSLi Extended Statistics ..................................................................................................................121
SSLi Source NAT ...............................................................................................................................121
DSCP for Layer 7 SSL Proxy Server Policy ...................................................................................121
Support for Increased Number of SNI Entries .............................................................................122
Log Generated When SSL Insight Fails .........................................................................................122
Single Partition Support ...................................................................................................................123
Show SSL Statistics Enhancement ...............................................................................................123
Request Certificate Authorities ......................................................................................................123
DHE Ciphers supports 1024-bit or higher moduli .......................................................................123
Certificate Extension for SSL Insight .............................................................................................124
SSLi GUI Wizard .................................................................................................................................124
Generate Self-Signed CSR ...............................................................................................................124
Support for SSL/TLS Secure Renegotiation ................................................................................125
Support for HTTPS Import ..............................................................................................................125
ICAP HTTP Block Counters .............................................................................................................125
ICAP Feature to Send Entire URL for DLP .....................................................................................125
Secure ICAP ........................................................................................................................................125
ICAP Fail Close Option .....................................................................................................................126
ICAP Pre-Filter Allowed Methods and Minimum Payload .........................................................126
ICAP Logging .....................................................................................................................................126
Application Delivery and Server Load Balancing ................................................................................126
Actively Close Session when Server is Disabled or Fails Health Check ................................128
Clear Persistent Sessions Options ................................................................................................128
Server session close when the server is disabled or fails a health-check .............................128
Proxy Chaining Configuration .........................................................................................................131
Forward Policy Destination Rule Enhancement ..........................................................................131
Proxy Server Configuration for Web Category Services ............................................................131
page 9
Contents
Explicit Proxy Permission with AAM Policy ..................................................................................131

Terminate Diameter Session for Credit-Control-Answer-Termination Message ..................132
Return Diameter Unknown Session ID Instead of Dropping Traffic ........................................132
Handle Diameter Credit-Control-Request-Termination Messages ..........................................133
Enhanced Diameter CLI Parameters, Messages, and Output ..................................................133
Retry When the Server Response Contains Diameter Error Codes .........................................133
Diameter Disconnect-Peer-Request Message Handling ...........................................................133
Convert Diameter Origin Realm and Origin Host-ID ...................................................................134
Diameter Re-Auth-Request Message Handing ............................................................................134
Configure Diameter Device Watchdog Answer Messages for Server Up ..............................134
Support STARTTLS for IMAP and POP .........................................................................................134
TACACS+ Specific Health Monitor .................................................................................................134
Increasing the Maximum Number of Health Checks .................................................................135
Increase the Number of Black/White List Group IDs .................................................................135
Support for Simple Certificate Enrollment Protocol (SCEP) .....................................................135
Increase in Class-list Capacity ........................................................................................................136
Increase in PBSLB Subnet Capacity ..............................................................................................136
Software SSL Update to 1.0.2 .........................................................................................................136
HTTP Load Balancing to Proxy Servers ........................................................................................138
Hash Algorithm Based on Even-Odd Source IP Address ...........................................................138
DNS Caching to Honor Server Response TTL .............................................................................138
Extended SSL/TLS Usage Statistics ..............................................................................................139
Bandwidth Limit per SLB Server and SLB Server Port ...............................................................139
Parsing Multiple Certificates in a Certificate File ........................................................................139
Enhancements to TCP RST Behavior in TCP and TCP-Proxy Templates ...............................140
Port Override Health Check for Layer 2 DSR Deployments ......................................................140
Source IP and Source Port Packet Rate Enhancements ...........................................................140
Initial Non-SYN TCP Packet .............................................................................................................141
TLS Version 1.1 Support for SSL Clients ......................................................................................141
FTP Support for SLB Protocol Translation ...................................................................................141
Extended Cache Hit Statistics ........................................................................................................141
Fast-HTTP and HTTP Support for url-hash-persist ....................................................................141
Response to Client POST Request Modification .........................................................................142
Strict Load-Balancing for Weighted Round-Robin and Least Connection\ ............................142
Fast-HTTP and HTTP Support for url-hash-persist ....................................................................142
FTP Support for SLB Protocol Translation ...................................................................................142
Load Balancing with the “DNSSEC OK” (DO) Bit ..........................................................................143
SMTP Health Check ..........................................................................................................................143
Strict Layer 2 DSR Health Checks ..................................................................................................143
Disabling SSL Renegotiation ...........................................................................................................143
Advertised Certificate Authorities ..................................................................................................144
Thales HSM Device Support ...........................................................................................................144
Global Server Load Balancing ................................................................................................................144
Configuring Periodic GSLB Geo-Location Database Synchronization ....................................144
GSLB Health Monitors ......................................................................................................................145
Global Server Load Balancing Sticky Persistence Sync ............................................................145
GSLB Controller-Based Metrics ......................................................................................................145
page 10
Contents
GSLB CNAME Load Balancing ........................................................................................................146

EDNS-Client-Subnet Support for GSLB Geolocation Metric .....................................................146
DNS Logging Enhancement for GSLB: Log to Remote Servers Only ......................................146
Same GSLB Domain Configurations Across Partitions .............................................................146
GSLB Access Control Support ........................................................................................................147
EDNS-Client-Subnet Support for GSLB Geo-location Metric ....................................................147
Platform Software Enhancements .......................................................................................................147
SSH Login Grace Period ...................................................................................................................147
Login Banner Length Increased ......................................................................................................147
SLB Template Name Length Increased ........................................................................................148
Names for Tunnel Interfaces ..........................................................................................................148
Additional CLI Filtering Options ......................................................................................................148
Platform Hardware Enhancements ......................................................................................................148
40G QSFP+ Twinax Copper Cable Support ..................................................................................148
USB License Key for Thunder Bare Metal .....................................................................................148
ECDHE Cipher Support - PFS support ...........................................................................................149
CGN Enhancements ................................................................................................................................149
CGN Header Enrichment Matching Domain Names ..................................................................150
Client IP Insertion into HTTPS Requests on CGN/IPv6 Platform ............................................150
DDoS Protection Support for Fixed NAT IPs ................................................................................150
MAP-T Domain and Rule Expansion .............................................................................................150
MAP-T Support for Share-Ratio and Port-Start ...........................................................................151
Modify LSN NAT Pool without Downtime ....................................................................................151
Support to Disable Static NAT ........................................................................................................151
IP Black List for DDoS Protection ...................................................................................................151
Lw4o6 - Multiple Tunnel Support ...................................................................................................152
Lw4o6 access-list for Inside IPv4 Clients .....................................................................................152
One-to-One NAT Support for NAT64 .............................................................................................152
Lw4o6 for Port-less Protocols ........................................................................................................153
IPv4 Identification Value for IPv6 to IPv4 Translation ................................................................153
Validating Lightweight 4over6 Binding Tables .............................................................................153
Displaying Lightweight 4over6 Binding Table in the Order Configured ...................................154
Reduced CPU Overhead for CPU Round Robin ...........................................................................154
Configurable LSN RADIUS Table Size ...........................................................................................154
Enhancement to IP NAT Translation Command .........................................................................155
Enhancement to ECMP Hashing ....................................................................................................155
ACOS 4.x Platform Support Information .............................................................................. 157

Hardware Platform Support .................................................................................................157
Virtual Appliance Support ....................................................................................................158
Jumbo Frames: Supported Platforms .................................................................................159
Supported Number of Partitions Per Platform ...................................................................161
Splitter Cable Support for Quad Small Form-factor Pluggable on 40-Gigabit Ports ........162
Issues Fixed in ACOS 4.1.1 .................................................................................................. 163

Issues Fixed in Release 4.1.1-P13 .......................................................................................164
page 11
Contents

Issues Fixed in Release 4.1.1-P9 .........................................................................................182
Issues Fixed in Release 4.1.1...............................................................................................238
Known Issues in ACOS 4.1.1 ................................................................................................ 241

Known Issues in 4.1.1-P13...................................................................................................241
Known Issues in 4.1.1-P12...................................................................................................241
Known Issues in 4.1.1-P11...................................................................................................242
Known Issues in 4.1.1-P10...................................................................................................242
Known Issues in 4.1.1-P9 .....................................................................................................242
Known Issues in 4.1.1-P8 .....................................................................................................242
Known Issues in 4.1.1-P7 .....................................................................................................243
Known Issues in 4.1.1-P6 .....................................................................................................243
Known Issues in 4.1.1-P5 .....................................................................................................244
Known Issues in 4.1.1-P4 .....................................................................................................245
Known Issues in 4.1.1-P3 .....................................................................................................248
Known Issues in 4.1.1-P2 .....................................................................................................250
Known Issues in 4.1.1-P1 .....................................................................................................255
Known Issues in 4.1.1...........................................................................................................258
Limitations in ACOS 4.1.1 .................................................................................................... 263

Software Limitations ............................................................................................................263
Unable to Establish Copper Links UP If Configured 100/full or 10/full .........................................264
L3V Interface Disabled After Upgrading ..............................................................................................264
SSLi Single Partition with Explicit Proxy Source NAT ........................................................................265
External SSLi DATA CPUs running Higher ...........................................................................................265
SSL Forward Proxy Context not Updated ............................................................................................265
Dynamic Port Intercept on IP-Less SSLi ..............................................................................................265
Server-SSL Template Binding ................................................................................................................266
SSL Fail Handshake Statistics Not Incremented ...............................................................................267
Multiple Filters for CLI Output ................................................................................................................267
SLB and CGN Code Limitations ............................................................................................................267
Health Monitor for SLB with Hostname ...............................................................................................268
page 12
Contents
IPv6 NAT for FTP Proxy ..........................................................................................................................268

MMS Traffic for SLB ................................................................................................................................268
Information for 1G SFP on 10G Ports Not Displayed .......................................................................268
SNMP Read for GSLB Groups Does Not Support Identical Host Names .....................................268
Overlay Functionality Limitations ..........................................................................................................269
NAT Pool Statistics Limitation ...............................................................................................................269
VRRP-A Configuration Sync Limitation ................................................................................................269
Firewall Forced Timeout Limitation ......................................................................................................270
aXAPI Functionality Limitations ............................................................................................................270
Form-based Relay Pages Limitations ..................................................................................................270
Known GUI Limitations ...........................................................................................................................270
DHE Support Limitations ........................................................................................................................271
AAM Limitations .......................................................................................................................................271
4.1.1-P2 AAM Limitations .......................................................................................................................271
AAM aFleX Limitations ............................................................................................................................272
aFleX Limitations .....................................................................................................................................272
IPsec VPN Restrictions and Limitations .........................................................................................273
VPN Tunnel Cannot Be Up with SLB Virtual Server Enabled on Azure ..........................................273
Incoming Axdebug/Debug Packets Are Not Captured on Azure ....................................................273
Active FTP on vThunder for Azure With KDEMUX Drivers Does Not Work ..................................273
Passive FTP on vThunder for AWS and Azure Does Not Work .......................................................274
VRRP-A and VCS on vThunder for AWS and Azure Does Not Work ..............................................274
vThunder Cannot Ping Standby Interface in VPPR-A Deployments with L3 Inline Mode ..........274
Hardware Limitations ...........................................................................................................274
Remote Fault Detection Limitation .......................................................................................................274
Combo Console/LOM Interface Requires Splitter Cable ..................................................................274
Auto-negotiation Supported on 1GB On-Board Copper Ports Only ................................................275
Transceivers Not Purchased From A10 Networks May Show Error Message ............................275
Remote Fault Detection Fiber Limitation .............................................................................................275
Documentation Limitations..................................................................................................275
Licensing and Upgrading to ACOS 4.1.1 .............................................................................. 277

Hardware Product SKUs and vThunder Licenses...............................................................277
Hardware Product SKUs and vThunder/Bare Metal Product Licenses .........................................277
Third-party Licenses for Webroot and ThreatSTOP ..........................................................................278
Supported Upgrade Paths ....................................................................................................279
Upgrade Image File Names..................................................................................................280
Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x Releases..................................280
Upgrade Recommendations and Notes ..............................................................................................281
Upgrade Instructions ...............................................................................................................................281
Generating New Profiles .........................................................................................................................282
Migrating Partitions .................................................................................................................................283
Migrating Admins .....................................................................................................................................283
Error Message When Migrating the Default Admin ....................................................................284
Error Message for Admins with Custom Privileges ....................................................................284
Error Messages for Admins with Multiple Partition Privileges .................................................284
page 13
Contents
Reverting to Your 2.7.2.x or 2.8.2.x Release .......................................................................................285

Upgrading to ACOS 4.1.1 From 4.x Releases......................................................................286
Upgrade Fails When Using TFTP ..........................................................................................................286
Special Characters Supported in the GUI ............................................................................................287
Schema Changes that Impact Backward Compatibility ...................................................................287
/axapi/v3/gslb/policy/ .....................................................................................................................288
/axapi/v3/cgnv6 ................................................................................................................................288
/axapi/v3/vpn/ike-gateway .............................................................................................................289
/axapi/v3/system/session/stats ...................................................................................................290
/axapi/v3/slb and /axapi/v3/slb/template ...................................................................................292
/axapi/v3/file and /axapi/v3/import ..............................................................................................292
/axapi/v3/interface ...........................................................................................................................293
/axapi/v3/web-category ..................................................................................................................293
/axapi/v3/slb ......................................................................................................................................294
/axapi/v3/router ................................................................................................................................295
/axapi/v3/router/isis ........................................................................................................................297
Upgrading in a Non-aVCS Environment ...............................................................................................297
Upgrading in an aVCS Environment .....................................................................................................298
Steps After Upgrading to 4.1.1 with an Existing Web-category License ...........................300
Additional Changes and Notes ............................................................................................ 301

Documentation Errata ..........................................................................................................301
Port Batching v2 .......................................................................................................................................301
Logging Enhancements ..........................................................................................................................302
Syslog ..................................................................................................................................................302
Binary Log ...........................................................................................................................................303
RADIUS Log ........................................................................................................................................304
RFC5424 Format and Custom Format .........................................................................................304
NetFlow ...............................................................................................................................................305
Configuring Port Batching v2 in NAT Pools ........................................................................................305
Simultaneous TCP/UDP Port Batch Allocation ..................................................................................306
Configuring TCP/UDP Port Batch Allocation ...............................................................................306
TCP/UDP Port Batch Allocation Logging .....................................................................................307
RADIUS ................................................................................................................................................308
Configuration Example .....................................................................................................................308
Port Block Allocation Interim Logs .......................................................................................................308
Configuring Interim-Update Logs for Port Batch v2 ..........................................................................309
Custom Format Entry and Keywords ............................................................................................309
page 14
Feedback ACOS 4.1.1-P13 Release Notes
Changes to Default Behavior
This chapter highlights the major changes to default or existing behavior in the ACOS 4.x releases as
compared to the earlier releases.
The following topics are covered in this chapter:
• Default Behavior Changes Between ACOS 4.1.1-P9 and ACOS 4.1.1-P10
• Default Behavior Changes Introduced in ACOS 4.1.1-P2
• Default Behavior Changes Between ACOS 4.1.x and ACOS 4.1.1
• Default Behavior Changes Between ACOS 4.1.0-P2 and ACOS 4.1.1
• Default Behavior Changes from ACOS 4.1.0-P2 to ACOS 4.1.0-P3
• Default Behavior Changes Between ACOS 4.1.0 and ACOS 4.1.0-P2
• Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0
• Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1
• Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
Default Behavior Changes Between ACOS 4.1.1-P9 and

ACOS 4.1.1-P10
This topic has the following section:
• External Health Monitor Script Access
External Health Monitor Script Access

With the Selective External Health Monitor Access enhancement included in this release ACOS will
behave differently for the following commands used to access External Health Monitor scripts.
• import health-external – Import an external health monitor script file.
Feedback page 15
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.1-P3 and ACOS 4.1.1-P4
• health external create – Creates a script file and opens an editor to modify it.
• health external edit – Opens an editor to modify an existing script.
• health external delete – Removes an existing script.
Previously, these commands could be performed by any ACOS admin with Read/Write (R/W) privilege,
including Partition Read/Write (P.R/W). Starting in version 4.1.1-P10, ACOS administrators that are suffi-
ciently and specifically trusted to perform these configuration operations must be specifically provi-
sioned with a new External Health Monitor privilege (HM) for these commands to succeed as this
privilege is disabled by default.
Reflecting the system-wide nature of External Health Monitor scripts in ACOS, the new HM privilege and
these commands are no longer available for ACOS partition-constrained administrators. The new HM
privilege is only permitted for ACOS admin accounts with system-level, Read/Write (R/W) privilege.
Exiting ACOS deployments upgrading to this release or later and which use the External Health Monitor
feature will need to extend their provisioning and configuration for the selected ACOS admin users
trusted to manage this feature. ACOS CLI supports a new command, privilege hm, for this purpose
with equivalent GUI settings and corresponding access settings for external authentication integrations
with TACACS+, RADIUS, and LDAPS.
NOTE: For information on configuring ACOS for this new HM privilege, see the
Management Access and Security Guide. For general information on the
External Health Monitor feature, see the Application Delivery and Server
Load Balancing Guide (Using External Health Methods section).

ACOS 4.1.1-P4
This topic has the following section:
• Support for Downgrading or Disabling the TLS or SSL Version
Support for Downgrading or Disabling the TLS or SSL Version

For a client-ssl template, you can specify to downgrade or disable the TLS or SSL version by running the
version command in the SLB client SSL template configuration mode. The syntax of the command is
as follows:
ACOS(config)# slb template client-ssl SSL

ACOS(config-client ssl)# version ?
page 16
Feedback
<30-33> TLS/SSL version: 30-SSLv3.0, 31-TLSv1.0, 32-TLSv1.1 and 33-TLSv1.2

ACOS(config-client ssl)# version 33 ?
<30-33> Lower TLS/SSL version can be downgraded
ACOS(config-client ssl)# version 33 32
ACOS(config-client ssl)#
NOTE: For more information on the command, see ACOS 4.1.1-P4 Command
Line Interface Reference for SLB Guide.
NOTE: Starting from 4.1.1-P4, SSLv3 is disabled by default. To enable SSLv3, run
the command version 33 30. The default version value is 33 31, which
means downgrade from TLSv1.2 to TLSv1.0 is supported by default.

ACOS 4.1.1-P3
The following changes in default behavior were made between ACOS release 4.1.1-P2 and 4.1.1-P3
releases. This topic has the following sections:
• Session Capacity of SLB Real Servers and Ports Increased to 64 Million Sessions
• aXAPI Configuration Field Name Changed From v3_req to v3-request
• aXAPI Configuration Flag Fields Modified in Schema for slb.template.client-ssl
Session Capacity of SLB Real Servers and Ports Increased to 64

Million Sessions
This enhancement increases the session capacity of SLB real servers and real ports, allowing them to
support up to 64 million sessions. The previous capacity was limited to 8 million sessions.
(A10 Tracking ID 384415)
aXAPI Configuration Field Name Changed From v3_req to v3-request

In aXAPI, “v3_req” configuration field for csr generation is changed to “v3-request”.
page 17
FeedbackF
Fee
e
aXAPI Configuration Flag Fields Modified in Schema for

slb.template.client-ssl
The following three aXAPI configuration flag fields were removed from the slb-template schema in the
ACOS 4.1.1-P2 release:
• forward-proxy-verify-cert-fail-action
• forward-proxy-cert-revoke-action
• forward-proxy-cert-unknown-action
The removal of these fields caused compatibility issues with aXAPI dependent applications. These
fields are added back in the ACOS 4.1.1-P3 release.
After the change, the valid aXAPI request and response would match with that of ACOS 4.1.1-P1 and
earlier releases.
The following is a sample aXAPI request and response example:
POST /axapi/v3/slb/template/client-ssl/
REQUEST:
"client-ssl": {
"name":"new3",
"forward-proxy-verify-cert-fail-action":1, <------ flag field added back
"verify-cert-fail-action":"continue",
"forward-proxy-cert-revoke-action":1, <------ flag field added back
"cert-revoke-action":"bypass",
"forward-proxy-cert-unknown-action":1, <------ flag field added back
"cert-unknown-action":"continue"
}
}
RESPONSE:
"client-ssl": {
"name":"new3",
page 18
Feedback
Default Behavior Changes Introduced in ACOS 4.1.1-P2
"ocsp-stapling":0,
"client-certificate":"Ignore",
"close-notify":0,
"forward-proxy-alt-sign":0,
"enable-tls-alert-logging":0,
"forward-proxy-verify-cert-fail-action":1, <------ flag field added back
"verify-cert-fail-action":"continue", <------ flag field added back
"forward-proxy-cert-revoke-action":1, <------ flag field added back
"cert-revoke-action":"bypass", <------ flag field added back
"forward-proxy-cert-unknown-action":1, <------ flag field added back
"cert-unknown-action":"continue", <------ flag field added back
"notbefore":0,
"notafter":0,
"forward-proxy-ssl-version":33,
"forward-proxy-ocsp-disable":0,
***snipped***
"renegotiation-disable":0,
"authorization":0,
"uuid":"1925ec20-3fa5-11e7-bdc1-f3883dec13ef"
}

The following changes in default behavior are introduced in this release. This topic has the following
sections:
• Default Enabled Cipher Suites Update
• NTP Server Default Ports Update
• Support for the Signature Algorithms List in the SSL/TLS Handshake
• Enabling Gateway Traps
• Global Monitoring Template Configuration
• Deprecated ipv4-list and ipv6-list Options for RADIUS Remote Server
• WAF Policy File Size Limit Increased to 10MB
page 19
FeedbackF
Fee
e
• Deprecated ip-map-list Commands
• Deprecated License Option in the Import Command
• Deprecated Export-periodic Command
• System Template Monitor Command is Changed to System Template-bind Monitor
• Show Run Command is Modified to Not Show Default Values
Default Enabled Cipher Suites Update

The following cipher suites are enabled by default for 4.1.1-P2 (A10 Tracking ID: 371854, 361825):
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
TLS1_ECDHE_ECDSA_AES_128_SHA
TLS1_ECDHE_ECDSA_AES_128_SHA256
TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384
TLS1_ECDHE_ECDSA_AES_256_SHA
NTP Server Default Ports Update

In ACOS 4.1.1-P2, NTP now listens on both the management and data ports by default.
NOTE: For more information on the original default behavior in 4.1.1-P1 and ear-
lier 4.x releases, refer and see NTP Server Default Ports in Default Behav-
ior Changes Between Legacy 2.x Releases and ACOS 4.x Releases.
Support for the Signature Algorithms List in the SSL/TLS Handshake

Prior to this release, ACOS did not honor requests from clients for signature algorithms (Sig Alg).
page 20
Feedback
Regardless of the Sig Alg list sent by the client, ACOS would always use SHA1. In this release and sub-
sequent releases, ACOS will honor the Sig Alg list request. If ACOS cannot support the algorithm, the
connection is dropped.
The supported algorithms are SHA1, SHA256, SHA384, and SHA512.
Enabling Gateway Traps

Previously, slb gateway traps were enabled through the use of the parameters server-down or server-
up following the CLI command:
snmp-server enable traps slb
This behavior has changed so it no longer enables slb gateway traps. Now, use the parameters gate-
way-down or gateway-up when configuring snmp-server enable traps slb to enable the slb gateway
down or up traps.
Global Monitoring Template Configuration

The “system template monitor” command to globally link a monitoring template to the ACOS device
was replaced by “system template-bind monitor” but both commands could be used to accomplish the
same result. Starting in this release, the “system template monitor” command is fully deprecated and
will no longer be available in the CLI, or supported in any configuration.
NOTE: This change is made in both ACOS 4.1.1-P2 and ACOS 4.1.0-P8 releases.
Deprecated ipv4-list and ipv6-list Options for RADIUS Remote Server

When configuring RADIUS remote server, the ipv4-list and ipv6-list options under the cgnv6 lsn
radius server remote command are deprecated as they do not allow users to configure more than one
ip-list for IPv4 or IPv6 RADIUS clients.
NOTE: This change is backward compatible with 411-P2 and 2.8.2x releases.
For versions prior to 411-P2, the user must change “ipv4-list” and
“ipv6-list” to “ip-list” explicitly.
page 21
FeedbackF
Fee
e
WAF Policy File Size Limit Increased to 10MB

The size limit for WAF Policy Files is increased to 10 MB; previous releases supported file sizes up to
only 256 KB. In addition, the maximum number of learned policy entries is extended to 10240.
• These limits are hard-coded and apply across all platforms and models running ACOS 4.1.1-P2.
• The maximum URL length is extended to 16127 characters. The new upper limit represents the
concatenated total length of all URL strings.
• The file size increase happens after upgrading and is transparent to the user.
• You can set the file size in KB to a value in the supported range, using the following command: waf
policy max-filesize <16-10240>
• After upgrading, if you do not change the value, then the default value (32KB) will be used.
Deprecated ip-map-list Commands

Support for ip-map-list commands is removed.
Deprecated License Option in the Import Command

Support for importing old v1 license using the “license” option in the import command is removed.
This “license” option is also removed from the “import-periodic” and “import to-device” commands.
The option to import glm-license is still supported under all the above mentioned import variants.
Deprecated Export-periodic Command

Support for the “export-periodic” command is removed.
System Template Monitor Command is Changed to System

Template-bind Monitor
The CLI command “system template monitor <id>” is made obsolete. This command is replaced by
the new command “system template-bind monitor <id>” which is available since 410 release.
This release just removes the obsolete command.
page 22
Feedback
Default Behavior Changes Between ACOS 4.1.x and ACOS 4.1.1
Show Run Command is Modified to Not Show Default Values

The default values of the Client-SSL template that showed up in the “show run” command output is
removed.
Default Behavior Changes Between ACOS 4.1.x and

ACOS 4.1.1
The following changes in default behavior were made between ACOS release 4.1.1 and earlier 4.x
releases. This topic has the following sections:
• Use of Special Characters for Object Names
• Explicit HTTP-Proxy Configuration and Class-Lists Change
• General GUI Support
• vThunder ADC License Expiration Behavior
• Legacy Proxy Chaining Configuration
• Upgrading to 4.1.1 Might Cause a Web-Category License to Become Corrupt
• VRID Default
• Tunnel-Endpoint-Address
• LOM Interface CLI Changes
• GSLB aXAPI Policy Parameters
Use of Special Characters for Object Names

If the use of special characters is required in naming an object, it is recommended that the CLI be used.
An example of an object name would be the name of a class-list.
(A10 Tracking ID 354830).
Explicit HTTP-Proxy Configuration and Class-Lists Change

An IPv4 class-list which contains 0.0.0.0/0 or an IPv6 class-list containing ::/0 cannot be bound to an
SLB template policy.
page 23
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.x and ACOS 4.1.1
Workaround
To create a similar rule of IP matching with the following constraints, use the destination any or
match-any rule as part of your source policy configuration.
General GUI Support

The GUI design is independent of the CLI, rather than an exact replica of the CLI. Therefore, there is not
a one-to-one mapping between CLI commands and GUI fields.
The GUI is an abstraction of the CLI with a focus on streamlined workflow, reduced complexity, and a
user-friendly experience.
vThunder ADC License Expiration Behavior

When a vThunder license has expired, ADC functionality will continue, but at a reduced bandwidth for
ACOS 4.1.1x.
Previously, all the functionality would cease to work with 4.1.0x for expired licenses.
Legacy Proxy Chaining Configuration

The proxy-chaining parameter option for enabling proxy-chaining through the forward-policy-action sub-
configuration using the forward-to-internet or forward-to-service-group command is replaced by
the forward-to-proxy command.
This change does not affect earlier proxy-chaining configurations. Any configurations utilizing the
proxy-chaining parameter from earlier 4.x releases will continue to function.
Upgrading to 4.1.1 Might Cause a Web-Category License to Become

Corrupt
If you have an existing web-category license and upgrade to 4.1.1, the web-category license state may
become corrupt.
To recover from this state, from the web-category sub-configuration, re-enable web-category through
the enable command. Ensure your ACOS appliance is already configured to establish a connection with
the Global Licensing Manager (GLM).
NOTE: This action only needs to be done the first time after an upgrade.
page 24
Feedback
Default Behavior Changes Between ACOS 4.1.0-P2 and ACOS 4.1.1
VRID Default
The vrid default command is revised to vrid 0 in VPN IKE-Gateway and VRRP-A configurations, with
the range of <0-31> and range <0-7> in partitions.
Tunnel-Endpoint-Address
With the support for multiple tunnel endpoints, the cgnv6 lw-4o6 tunnel-endpoint-address command
and the “LW-4over6 Tunnel Endpoint not Configured Drops” counter were removed.
LOM Interface CLI Changes

The following CLI changes for LOM interface configuration are introduced:
• The ipmi options command in previous releases is replaced with system ipmi options.
• The ipmi ip (to view the IPMI IP configuration) and ipmi user list (to view the IPMI user config-
uration) commands are deprecated. Both IPMI IP and user configuration can be viewed with the
new show ipmi command.
GSLB aXAPI Policy Parameters

The parameters for weighted-ip, bw-cost, weighted-site, and active-servers are removed from the /
axapi/v3/gslb/policy/ POST and PUT payload objects. Revise any existing payloads to remove these
fields.

ACOS 4.1.1
The following changes in default behavior were made between ACOS release 4.1.1 and earlier 4.x and
2.7.2.x releases. This topic has the following sections:
• Configuring Trunk IDs
• Web Category BrightCloud Server Query Timeout Default Changed
• AAM Authentication Template Name Supports 127 Characters
• Default Contents of Exported AX Debug Files are Changed
• Selecting Multiple Class-lists in an SLB Policy Template
page 25
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.0-P2 and ACOS 4.1.1
• Viewing Resource Usage Statistics
Configuring Trunk IDs

The trunk-group command is updated so that an ID in the range 1-4096 can be configured; previously,
only IDs in the range 1-16 were allowed.
This change does not impact any upgrade scenarios. For downgrade scenarios, note that if you are
downgrading from Release 4.1.1 to any earlier release and your release 4.1.1 trunk configuration uses
ID numbers greater than 16, the configuration will be rejected by the older release.
Web Category BrightCloud Server Query Timeout Default Changed

The default maximum number of seconds to wait for the BrightCloud server to respond to a query from
ACOS has changed from 30 seconds to 15 seconds.
NOTE: For more information, see “server-timeout” under “web-category” in the

Command Line Interface Reference for ADC.
AAM Authentication Template Name Supports 127 Characters

The aam authentication template command supports up to 127 characters when specifying the tem-
plate name; previous releases supported only up to 63 characters.
Default Contents of Exported AX Debug Files are Changed

In previous releases, an exported AX debug file was a.tgz archive containing all of the merged content
and per-CPU files.
This is changed in Release 4.1.1 so that only the merged files are exported in a PCAP format, and the
per-CPU files are not included. You can use additional options in the CLI to retain the original; behavior.
NOTE: For more information, see “export-periodic” or “export” in the Command

Line Interface Reference Guide.
Selecting Multiple Class-lists in an SLB Policy Template

The ability to select multiple class-lists in an SLB policy template configuration is deprecated. In previ-
ous releases, the following was possible:
page 26
Feedback
Default Behavior Changes from ACOS 4.1.0-P2 to ACOS 4.1.0-P3
ACOS(config)# slb template policy pol1

ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# source destrule1
ACOS(config-policy-forward-policy-source)# match-class-list clist1 or clist2
ACOS(config-policy-forward-policy-source)# destination any action A1
In Release 4.1.1 and beyond, the equivalent configuration is:

ACOS(config)# slb template policy pol1
ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy-source)# match-class-list clist1
ACOS(config-policy-forward-policy-source)# exit
ACOS(config-policy-forward-policy-source)# match-class-list clist2
Viewing Resource Usage Statistics

The following resource usage CLI commands are changed:
Previous Command 4.1.1 Command

system resource-usage options system resource-accounting template name
app-resources options |
network-resources options |
system-resources options
show resource-usage show resource-accounting
clear resource-usage clear resource-accounting
NOTE: For more information, see “show resource-accounting” in the Command

Line Interface Reference Guide.
Default Behavior Changes from ACOS 4.1.0-P2 to ACOS

4.1.0-P3
The following changes in default behavior were made between ACOS release 4.1.0-P3 and earlier 4.x
and 2.7.2.x releases. This topic has the following sections:
page 27
FeedbackF
Fee
e
• Default TLS Version and Behavioral Changes for Server SSL
Default TLS Version and Behavioral Changes for Server SSL

The default TLS version for the SSL session with the Internet server is set to 1.0 in release 4.1.0 and
changed to 1.2 in release 4.1.0-P3. The TLS version in TLS handshake is to communicate to the server
the highest TLS version that can be supported.
The version command behavior, when configuring a server SSL SLB template has also changed regard-
ing downgrades from 4.1.0 to 4.1.0-P3.
The following Table 1 lists the default TLS version for Server SSL Handshake and the associated SSL
version numbers for corresponding ACOS releases and behavioral changes to the version command.
TABLE 1 TLS Version Chart

Minimum
ACOS Default TLS Downgrade
Release version Version Behavior Description
2.7.2-x 1.2 1.0 The version command in server-SSL template configuration is
4.0-x only used for normal SSL offload and has no effect on SSLi.
4.0.1-x
4.0.3-x
page 28
Feedback

Minimum
4.1.0 1.0 1.0 The version command in the server-SSL template is also used for
4.1.0-P1 SSLi. The downgrade must be explicitly configured for a down-
grade to occur.
4.1.0-P2
In the following example, no downgrade will occur, and only TLS
1.2 is allowed:
ACOS(config)#slb template server-ssl sssl

ACOS(config-server ssl)#version 33
To allow a downgrade to a different version, specify a minimum

downgrade version. In this example, TLS version 1.0 is the mini-
mum allowable version that can be used to communicate with the
server:
ACOS(config-server ssl)#version 33 31
In SSLi configurations, the version configured on the server-SSL

template must match the forward-proxy-ssl-version config-
ured on the client-SSL template. For example, in the client-SSL
template:
ACOS(config)#slb template client-ssl cssl

ACOS(config-client ssl)#forward-proxy-ssl-version 33
page 29
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.0 and ACOS 4.1.0-P2

Minimum
4.1.0-P3 1.2 1.0 The behavior of the version command is changed so that a down-
grade to the default downgrade version can occur even if not spec-
ified.
The following configurations would have the same behavior; TLS

version 1.0 is the minimum allowable version that can be used:


ACOS(config-server ssl)#version 33
To disable downgrading, you must set the version and the mini-
mum downgrade version to be the same:

As is the case with Release 4.1.0, 4.1.0-P1, and 4.1.0-P2, in SSLi

configurations, the version configured on the server-SSL template
must match the forward-proxy-ssl-version configured on the
client-SSL template.
NOTE: For more information, see the “version” command in the “Config Com-
mands: SLB Server SSL Templates” chapter in the Command Line Inter-
face Reference for ADC.
Default Behavior Changes Between ACOS 4.1.0 and

ACOS 4.1.0-P2
This section contains the following changes between ACOS release 4.1.0-P2 and earlier 4.x releases.
This topic has the following sections:
• TCP Proxy Retransmission Retries Default Changed
• Default Value Changed for receive-buffer and transmit-butter in TCP-Proxy Template
page 30
Feedback
Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0
TCP Proxy Retransmission Retries Default Changed

In release 4.1.0-P2, the default value for TCP Proxy retransmission retries was changed from 3 to 5.
NOTE: For more information, see “slb template tcp-proxy” in the Command
Line Interface Reference for ADC.
Default Value Changed for receive-buffer and transmit-butter in TCP-

Proxy Template
In release 4.1.0-P2, the default value for the receive-buffer and transmit-buffer commands under
SLB TCP-Proxy template configuration was changed from 50KB (51200 bytes) to 200KB (204800
bytes).
NOTE: For more information, see “slb template tcp-proxy” in the Command
Line Interface Reference for ADC.
Default Behavior Changes Between ACOS 4.0.1 and

ACOS 4.1.0
This section contains CLI changes between ACOS release 4.1.0 and 4.0.1. This topic has the following
sections:
• Spaces in VIP Names are Not Supported
• Viewing the Active Device Statistics in aVCS Configurations
• SNMP CLI Changes
• Show class-list Command Change
• Initial TCP Congestion Window
• dns-cache-enable round-robin Command Change
• Deprecated CLI Commands
• Enhanced Black/White List Error Parsing Behavior
• Webroot and ThreatSTOP Licensing Behavior
• Changes to Formatting of NetFlow Records for Long-lived Sessions
page 31
FeedbackF
Fee
e
Spaces in VIP Names are Not Supported

Release 4.1.0 no longer supports spaces or special characters in VIP names.
If you have spaces or special characters in your VIP names, you must rename them appropriately
before upgrading to release 4.1.0.
Viewing the Active Device Statistics in aVCS Configurations

The active-vrid option is no longer supported and is removed from all show commands in the CLI.
SNMP CLI Changes

The following SNMP CLI commands are deprecated:
• snmp-server community read

• snmp-server user
These CLI commands are not removed from the CLI for backwards-compatibility purposes, but if you
attempt to use them in release 4.1.0 the CLI will return an error message.
NOTE: For more information about the new CLI commands, SNMP community
string, and user configuration, see the “Simple Network Management Pro-
tocol (SNMP)” chapter in the System Configuration and Administration
Guide.
Show class-list Command Change

In ACOS 4.1.0, the following usage guideline is added to the show class-list command:
Usage For Aho-Corasick (AC) class lists, enter the write memory command immedi-
ately before entering show class-list.
Initial TCP Congestion Window

In release 4.1.0, the default values for initial TCP congestion window (init-cwnd, configured under SLB
TCP proxy template) are changed as follows:
• Default is 10 segments (previous was 4)
• Configurable range is 1-15 (previous was 1-10)
page 32
Feedback
dns-cache-enable round-robin Command Change

When using the dns-cache-enable round-robin command, the DNS transaction ID (which is random) is
now used to assist in the round-robin. This behavior is better for heavy traffic, but the side effect is that
it will not strictly follow the round-robin.”
Deprecated CLI Commands

The following options are deprecated under aam authentication portal default-portal:
• reset-change-password
• reset-logon
• reset-logon-fail
Enhanced Black/White List Error Parsing Behavior

In release 4.1.0, errors in a Black/White list entry cause the entire entry to be completely ignored; traffic
is neither dropped nor allowed because of any errors.
The error is still logged in the same manner as in all previous releases.
Webroot and ThreatSTOP Licensing Behavior

In release 4.1.0, a new licensing scheme is in effect with regard to Webroot and ThreatSTOP. Things to
note about the licensing behavior:
• If you have network access during system set-up, the ACOS device will communicate with the
Global Licensing Manager to verify your licensing status once you use the glm enable-requests
command. If you do not have network connectivity, then you will have to import the license manu-
ally and start a new CLI session. See glm enable-requests, import glm-license, and show
license-info in the Command Line Interface Reference for further info about managing your
license.
• The show license-info command will show the expiry date of none or N/A for Webroot and
ThreatSTOP. However, an additional Webroot or ThreatSTOP license is required for usage.
NOTE: See the Global License Manager User Guide for further info about obtain-
ing and managing your license.
page 33
FeedbackF
Fee
e
Changes to Formatting of NetFlow Records for Long-lived Sessions

The following sections are covered under this topic:
• Details
• Samples NetFlow Records Using the Old Formatting Approach
• Samples NetFlow Records Using the New Formatting Approach
Details
In release 4.1.0, there is a change in the formatting of the “start time” and “duration” fields in NetFlow
records for long-lived sessions (typically defined as those lasting more than 10 minutes).
For each new NetFlow record created for a session on the ACOS device, the NetFlow record will show
the time that the session began as the start time. Therefore, NetFlow records sent out for different ses-
sions will have different start times.
However, for long-lived sessions (for example, 15 minutes), if the flow-timeout period is set to 5 min-
utes, then ACOS will produce three flow records for one 15-minute session. The three flow records will
each have the same start time, because the records are reporting on the same session.
In previous releases, the NetFlow records would erroneously reset the start time to the time at which
the previous NetFlow record was exported. This behavior was incorrect, because instead of having
three records with the same start time, there were three records that had incrementally larger start
times, even though they were for the same session.
The following sub-sections show sample records using the old (incorrect) approach, as well as a sam-
ple of records using the new approach.
Samples NetFlow Records Using the Old Formatting Approach
Duration: 318.000000000 seconds (5:18)

StartTime: Feb 2, 2015 12:35:52.341000000 Russia TZ 2 Standard Time
Note that the duration plus the StartTime is equal to 12:41:10.341 (this became the new
start time for the next record)
Duration: 356.964000000 seconds (5:56.964)

Note that the duration plus the StartTime is equal to 12:47:7.305 (this became the new
start time for the next record)
Duration: 356.960000000 seconds

StartTime: Feb 2, 2015 12:47:07.305000000 Russia TZ 2 Standard Time (and so on...)
page 34
Feedback
Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1
Samples NetFlow Records Using the New Formatting Approach

NOTE: Instead of resetting the start time to the time at which the most recent
NetFlow record was exported, the start time remains the same for all
three records for this session. In addition, the duration is not reset to zero,
but it is incrementally larger for each record, because more time has
elapsed since the first, second, and third records were sent.
The benefit of this new approach to formatting the session “start time” and “duration” fields in the Net-
Flow records is that the new approach essentially joins the records into a single session that can be
more easily stored and searched in a database.
The following types of records are impacted by this change in behavior:
• dslite – DS-Lite Flow Record Template
• nat44 – NAT44 Flow Record Template
• nat64 – NAT64 Flow Record Template
• netflow-v5 – NetFlow V5 Flow Record Template
• netflow-v5-ext – Extended NetFlow V5 Flow Record Template, supports ipv6
NOTE: For more information about configuring NetFlow, see the “NetFlow v9
and v10(IPFIX)” chapter in the System Configuration and Administration
Guide.
Default Behavior Changes Between ACOS 4.0 and ACOS

4.0.1
This section contains CLI changes between ACOS release 4.0 and 4.0.1. This topic has the following
sections:
• AAM SSL Client Certificate Authentication via LDAP
page 35
FeedbackF
Fee
e
• VRRP-A CLI Changes
• Overlay CLI Changes
• CGNv6 DDoS IP Anomaly Checks
AAM SSL Client Certificate Authentication via LDAP

In release 4.0, the ACOS device extracts the content in subject-alt-name-othername from the client cer-
tificate to use for LDAP authentication.
In release 4.0.1, the default is changed so that the ACOS device uses the virtual port’s client SSL tem-
plate configuration.
ACOS-Active(config)#slb template client-ssl client-ssl

ACOS-Active(config-client ssl)#auth-username ?
common-name Certificate subject common name
subject-alt-name-email Subject Alternative Name - extension email
subject-alt-name-othername Subject Alternative Name - other name
The default content extracted is common-name, but this may be configured to suit your specific needs for
LDAP authentication.
NOTE: For more information about these options, see the “slb template cli-
ent-ssl” command in the Command Line Interface Reference.
VRRP-A CLI Changes

This section describes the following VRRP-A CLI changes in release 4.0.1. This section has the follow-
ing sub-sections:
• Disable VRRP-A
• Force-Self-Standby
• Persistent Force-Self-Standby
• VRID Fail-Over Policy Template
• VRID Priority
• VRID Tracking Options
page 36
Feedback
Disable VRRP-A
ACOS 4.0 configuration:
no enable
ACOS 4.0.1 configuration:
disable
Force-Self-Standby
vrrp-a common
vrrp-a force-self-standby
vrrp-a force-self-standby vrid 3
Persistent Force-Self-Standby
vrrp-a common
vrrp-a force-self-standby vrid 3 persistent
vrrp-a force-self-standby-persistent vrid 3
VRID Fail-Over Policy Template

page 37
FeedbackF
Fee
e
vrrp-a vrid 0
fail-over-policy-template template1
vrrp-a vrid 0
blade-parameters
fail-over-policy-template template1
VRID Priority
vrrp-a vrid 0
priority 200
vrrp-a vrid 0
blade-parameters
priority 200
VRID Tracking Options

vrrp-a vrid 0
tracking-options
...
vrrp-a vrid 0
blade-parameters
tracking-options
...
page 38
Feedback
Overlay CLI Changes

This section has the following sub-section:
• Show Overlay Configuration
Show Overlay Configuration

ACOS 4.0 command:
show overlay-tunnel
ACOS 4.0.1 command:
show running-config overlay-tunnel
CGNv6 DDoS IP Anomaly Checks

The following CGNv6 DDoS IP Anomaly checks are removed from FPGA platforms in ACOS 4.0.1:
• Bad IP Flags
• UDP Port Loopback
• UDP Kerberos Frag
• IPv4 Options
NOTE: These checks remain applicable on non-FPGA platforms. The full list,
including these checks, can be found in the IPv6 Transitions Solution
Guide.
page 39
FeedbackF
Fee
e
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
Default Behavior Changes Between Legacy 2.x Releases

and ACOS 4.x Releases
• Discontinued and No Longer Supported Configuration Parameters
• Default Behaviors for Private Partitions
• Configuring High Availability
• Admin Roles
• End-user Scripts Must Add Delay for SLB Policy Templates
• Interfaces are Disabled by Default
• Confirming Hardware-based Compression Support
• Rate Limit Neighbor Discovery Messages for IPv6
• IP-anomaly Filtering
• Applying Global Link Monitoring Templates
• Memory Usage and Data CPU Statistics Display in GUI
• Default Behavior of Layer 2 Handling on the Default VLAN
• Specifying the Logging Severity Level
• NTP Server Default Ports
• Disable Audit Logging Not Saved to the Running Config
• Upgrading From 2.7.2 to 4.X Causes MTU Configuration to be Lost
Discontinued and No Longer Supported Configuration Parameters

• dh-param 512 in client-ssl template configuration
In an slb template client-ssl configuration, in 4.1.1-P2, the dh-param 512 option is no longer supported.
So if upgrading from 2.7.2-P10 to 4.1.1-P2, if the user has a Diffie Hellman configuration using 512, dh-
param 512, in an slb template client-ssl configuration, the configuration will no longer work.
(A10 Tracking ID: 373184)
NOTE: 4.1.1-P2 supports Diffie Hellman 1024, 1024-dsa and 2048.
page 40
Feedback
Default Behaviors for Private Partitions

This section has the following sub-sections:
• Only L3V Partitions are Supported
• Partition IDs are Mandatory
• Unloading and Deleting a Partition
• New Show Commands in the CLI
• Partitions are SLB or CGN-specific
Only L3V Partitions are Supported

The only type of partition that can be created in ACOS 4.x is an L3V partition; legacy RBA partitions are
no longer supported.
NOTE: For more information, see “Understanding L3V Partitions” in the Configur-
ing Application Delivery Partitions Guide.
A new implementation of RBA, called Role-Based Access Control, is introduced in this release. This fea-
tures enables the creation of multiple users, groups, and roles with varying degrees of permissions.
NOTE: For more information, see “Role-Based Access Control” in the Manage-
ment Access and Security Guide.
Partition IDs are Mandatory

When configuring an L3V partition, specifying a partition ID is now mandatory. In addition, the partition
ID is mapped to the L3V partition and remains unique in the system. If a partition “CorpA” is configured
with ID 1, then ID 1 cannot be re-used by another partition on the system.
NOTE: For more information, see “L3V Partition Configuration” in the Configuring
Application Delivery Partitions Guide.
Unloading and Deleting a Partition

The no form of the partition command unloads a configuration profile from the system; in order to per-
manently delete a partition, you must use the delete partition command.
NOTE: For more information, see “Understanding L3V Partition Profiles” in the
Configuring Application Delivery Partitions Guide.
page 41
FeedbackF
Fee
e
New Show Commands in the CLI

The show partition command is enhanced to provide options for viewing inactive partitions, available
IDs for partition configuration, and port usage for partitions.
NOTE: For more information, see “show partition” in the Configuring Application
Delivery Partitions Guide.
Partitions are SLB or CGN-specific

ACOS 4.x supports both SLB and CGN features, but only one can be enabled in each partition. SLB and
CGN features cannot be run together in the same partition.
NOTE: For more information, see “Enabling SLB or CGN in Partition” in the Config-
uring Application Delivery Partitions Guide.
Configuring High Availability

Only VRRP-A high availability is supported in ACOS 4.x releases; the legacy High Availability (HA) config-
uration is no longer supported.
NOTE: For more information, see the Configuring VRRP-A High Availability Guide.
Admin Roles
The ACOS 4.x releases support only 5 admin roles, compared to 12 from previous releases. The follow-
ing Table 2 summarizes this information:
TABLE 2 Admin Role Comparison

Admin Role Supported in Legacy Releases? Supported in 4.x Releases?
ReadOnlyAdmin Yes Yes
ReadWriteAdmin Yes Yes
SystemAdmin Yes No
NetworkAdmin Yes No
NetworkOperator Yes No
SlbServiceAdmin Yes No
SlbServiceOperator Yes No
PartitionReadWrite Yes Yes
PartitionNetworkOperator Yes No
PartitionSlbServiceAdmin Yes No
page 42
Feedback
TABLE 2 Admin Role Comparison

Admin Role Supported in Legacy Releases? Supported in 4.x Releases?
PartitionSlbServiceOperator Yes Yes
PartitionReadOnly Yes Yes
End-user Scripts Must Add Delay for SLB Policy Templates

For end-user scripts that perform simultaneous update, deletion, or re-creation of the following:
• SLB policy templates
• Binding of an SLB policy template to a virtual port
• Binding of SLB policy template to system
• Binding of SLB policy template to virtual server
• Modifying fields of an already bound policy template.
The script must be modified to include a delay of a few seconds between actions.
In previous releases, ACOS automatically re-tried the action after two seconds; this is no longer the case
in 4.0.
Interfaces are Disabled by Default

In ACOS 4.x releases, the output of the show running-config command does not show “disable” for dis-
abled interfaces.
In the legacy 2.x releases, the following section of show running-config output would indicate that inter-
face ethernet 5 is enabled and ethernet 6 is disabled:
interface ethernet 5
trunk-group 1
!
disable
trunk-group 1
!
In the ACOS 4.x CLI, the same configuration would be shown as follows:
page 43
FeedbackF
Fee
e
enable
trunk-group 1
!
trunk-group 1
!
The “non-default” state of enabled is explicitly shown, while the “default” state of disabled is not
shown.
Confirming Hardware-based Compression Support

The show hardware command can be used to confirm is your device supports hardware-based com-
pression:
ACOS# show hardware

AX Series Advanced Traffic Manager AX3400
Serial No : AX34051112300079
CPU : Intel(R) Xeon(R) CPU
12 cores
2 stepping
Storage : Single 74G drive
Memory : Total System Memory 24738 Mbyte, Free Memory 10163 Mbyte
SMBIOS : Build Version: 080016
Release Date: 06/15/2012
SSL Cards : 1 device(s) present
1 Nitrox PX
GZIP : 0 compression device(s) present
FPGA : 4 instance(s) present
Date : 12172013
L2/3 ASIC : 1 device(s) present
Ports : 28
In ACOS 2.x releases, the “GZIP” field is always present in the output and will show whether or not a
hardware-based compression module is installed on your device; a “0” in this field means that hardware-
based compression is not supported.
In ACOS 4. releases, this field appears, only if a GZIP module is installed on the device.
page 44
Feedback
Rate Limit Neighbor Discovery Messages for IPv6

Similar to the rate limiting that is enabled for ARP in IPv4, this release now contains rate limiting of
neighbor discovery messages for iPv6. This is enabled by default, with no configuration necessary.
On receipt of an IPv6 packet for which no MAC address exists in the neighbor table, the new behavior is
that an ND message is sent for that packet, and a two-second timer is started. No further ND messages
are sent for the unresolved packet for 20 ms.
After five unresolved ND messages are sent for a given neighbor during the two-second timer, no addi-
tional messages are sent.
IP-anomaly Filtering
In ACOS 2.x releases, IP anomaly filtering is disabled by default for all anomaly except for ip-option.
In ACOS 4.x releases, IP anomaly filtering is disabled by default for all anomaly types, including ip-
option.
Applying Global Link Monitoring Templates

In ACOS 2.x releases, use the system template monitor command to globally apply a link monitoring
template.
In ACOS 4.x releases, this command is changed to system template-bind monitor.
Memory Usage and Data CPU Statistics Display in GUI

When viewing the Memory Usage and Data CPU Statistics from the Dashboard>>System page, the
chart will only display a time range with data.
This differs from 2.7.x which would display the selected time range even if there was no data.
Default Behavior of Layer 2 Handling on the Default VLAN

For a system configured in gateway mode or a system without any IP address, Layer 2 MAC learning
and Layer 2 forwarding are disabled on the default VLAN (VLAN=1). In transparent mode, Layer 2 MAC
learning and Layer 2 forwarding are enabled on the default VLAN.
Layer 2 MAC Learning and Layer 2 forwarding on the default VLAN may be enabled by using the vlan-
global enable-def-vlan-l2-forwarding command under global configuration mode.
page 45
FeedbackF
Fee
e
NOTE: It is recommended that Static MACs must not be configured in the

default VLAN in gateway or no-IP address mode, since Layer 2 MAC
learning and Layer 2 forwarding is disabled by default in these modes. If
you need to use static MACs in the default VLAN, enable forwarding on
the default VLAN using the vlan-global enable-def-vlan-l2-forward-
ing command under config mode.
Specifying the Logging Severity Level

When configuring logging in ACOS 2.x releases, you could specify either the severity level number (for
example, “3”) or the level (for example, “error”).
In ACOS 4.x releases and later, you must specify the word representing the severity level; specifying the
severity level number is invalid.
NTP Server Default Ports

In ACOS 2.7.x releases, NTP listens on both the management and data ports by default. In ACOS 4.x
releases, NTP only listens on the management port by default.
To enable NTP to listen on data ports, use the ntp allow-data-ports command.
Disable Audit Logging Not Saved to the Running Config

In ACOS 2.7.x releases, the no audit enable command to disable audit logging is saved to the running
configuration and is persistent across device reload and reboot operations.
In ACOS 4.x releases, this command is not saved to the running configuration, and therefore must be
reconfigured after each reload or reboot operation.
Upgrading From 2.7.2 to 4.X Causes MTU Configuration to be Lost

In ACOS 2.7.2 release, if you create an “interface trunk <>”, the trunk is considered to be an L3 interface.
However, in ACOS 4.x release, if you configure “interface trunk <>”, until you configure some IP address
to it, the trunk is considered as an L2 interface.
The ACOS 2.7.2 release allows you to configure MTU on ethernet interfaces even if they are part of the
trunk. The ACOS 4.x release does not allow you to configure MTU on ethernet interfaces, if they are a
member of the trunk.
page 46
Feedback
This causes the MTU configuration to be rejected from the system on upgrading from 2.7.2 to 4.x. You
can find the MTU configuration under the interface inside startup configuration after upgrade as shown
below.
ACOS#show run
!Current configuration: 435 bytes
!Configuration last updated at 15:40:35 CST Tue Apr 25 2017
!Configuration last saved at 15:40:35 CST Tue Apr 25 2017
!64-bit Advanced Core OS (ACOS) version 4.1.1-P3, build 45 (Jun-5-2017,11:44)
!
partition p1 id 11
!
partition p2 id 12
!
tftp blksize 32768
!
hostname TH3030S
!
timezone Asia/Shanghai
!
system-jumbo-global enable-jumbo
!
interface management
ip address 10.16.21.109 255.255.255.0
ip default-gateway 10.16.21.1
!
name test-eth
load-interval 10
duplexity Full
speed 1000 ===> MTU not here in running config since it is rejected from system
flow-control
enable
lldp enable rx
trunk-group 1
!
ACOS(config)#show start
Show configuration profile "empty2_40"
Building configuration...
!Current configuration: 1356 bytes
page 47
FeedbackF
Fee
e
!64-bit Advanced Core OS (ACOS) version 4.1.1-P3 build 45 (June-5-2017,15:40)

!
partition p1 id 11
!
partition p2 id 12
!
hostname TH3030S
!
timezone Asia/Shanghai
!
system-jumbo-global enable-jumbo
!
trunk-group 1
trunk-group 1
!
trunk-group 2
trunk-group 2
!
interface management
ip address 10.16.21.109 255.255.255.0
ip default-gateway 10.16.21.1
!
name "test-eth"
mtu 1300 ===> MTU in statup configuration
flow-control
speed 1000
duplexity Full
lldp enable rx
monitor both
load-interval 10
enable
page 48
Feedback
page 49
FeedbackF
Fee
e
page 50
What’s New
This chapter provides a brief overview of the new features added in the every instance of 4.1.1 patch
releases. This chapter has the following topics:
• ACOS 4.1.1-P13 New Features
• ACOS 4.1.1 New Features
ACOS 4.1.1-P13 New Features

The following vertical enhancements are tabulated in the ACOS 4.1.1-P13 release.
NOTE: Starting from the ACOS release versions 4.1.1-P12 and 4.1.4, there is
an additional check added. It helps and prevents the user from configur-
ing the no-dest-nat feature under a virtual-server if the same service-
group under the virtual-server in question is bound to another virtual-
server. In some cases, there may be a specific requirement, where the
user needs to bind one service-group under multiple virtual-server
with no-dest-nat enabled. To accommodate such requirements, a new
Feedback page 51
FeedbackF
Fee
e
configuration option is added in the ACOS versions 4.1.1-P13 and

4.1.4-GR1-P3 onwards.
Network Enhancements
The following updates and feature enhancement details are included in the ACOS 4.1.1-P13 release.
NOTE: For legacy customers that are upgrading from the ACOS 4.1.1-P11 or
older release and who already have a configuration in place, which uses
the same service-group bound to multiple virtual-server with no-
dest-nat, enabled, they need to contact the A10 Networks® support, prior
to upgrading to the latest release, as the configuration needs to be
updated after the upgrade. Also, users with such profiles are recom-
mended to schedule downtime during the upgrade process to avoid any
impact.
Same Service-group Binding on Different “no-dest-nat”(DSR) Virtual Ports

A check is added to prevent the user from configuring the no-dest-nat, under a virtual-server, if the
same service-group under the virtual-server is bound to another virtual-server.
• In some cases, if the user needs to bind one service-group under multiple virtual-server with,
the feature no-dest-nat is enabled.
• To accommodate such requirements, a new configuration option is added in the ACOS 4.1.4-
GR1-P3 release version onwards.
The configuration option is configured and it is as the following:
slb common
service-group-on-no-dest-nat-vports allow-same
• This feature supports the same service-group to be configured on different VIPs when its port
uses no-dest-nat.
• The ACOS now allows the same service-group to bind to multiple virtual ports or on virtual ports
on different VIPs.
Known Issues and Limitations
Health check operating in the DSR mode is incompatible if the user enables “dsr-health-check-enable”
and binds the same service-group on multiple no-dest-nat virtual ports.
page 52
Feedback
CLI Configuration
The new command service-group-on-no-dest-nat-vports has the following options to support this
feature:
• allow-same: Allows the binding of service-group on no-dest-nat virtual ports.
• enforce-different: Enforces that the same service-group can not be bound on different no-
dest-nat virtual ports.
• This configuration is supported in both shared and L3V partitions.
GUI Configuration
The following GUI update is made on the ACOS GUI:
• A new field Service Group Binding on no-dest-nat vPorts is added under ADC > SLB >
Global page with drop-down list options, as “Allow Same” and “Enforce Different”.
• The default option is “Enforce Different”.
aXAPI Configuration
This feature is supported by aXAPI.
NOTE: For more details, see the latest edition of the release specific aXAPI Ref-
erence Guide.

There are no enhancements introduced in the ACOS 4.1.1-P12 release.

There were no enhancements introduced in the ACOS 4.1.1-P11 release.

The following enhancements are introduced for ACOS 4.1.1-P10. This topic has the following sections:
page 53
FeedbackF
Fee
e
• Application Access Management Enhancements
• SSLi Enhancements
• Platform Enhancements
Application Access Management Enhancements

This section has the following topic:
• Selective External Health Monitor Access
Selective External Health Monitor Access

This enhancement introduces a new administrator privilege allowing ACOS administration to selectively
control which individual administrators can access External Health Monitoring scripts in ACOS. This
ability is important in the secure administration of ACOS systems as it allows fine-grained control of
individual administrators who can instantiate or modify External Health Monitoring scripts and
potentially expose the ACOS system to compromises of malicious purpose or malicious content using
these scripts as a delivery vehicle.
Formerly, all ACOS admins with any type of Write privilege had access to these services. With this
enhancement all ACOS admins, with the exception for the ACOS root admin, are not allowed to import,
create, edit/modify, or delete External Health Monitor scripts as a default. Only ACOS, system-level
admins with Read-Write (R/W) privilege and specifically assigned this new privilege will be permitted to
perform these operations for External Health Monitor scripts.
In ACOS, these monitoring scripts have broad and intimate access throughout the ACOS system.
Accordingly, this new privilege is not available to partition constrained ACOS admins.
In addition to adding this privilege setting to CLI commands and GUI pages, corresponding access
settings were added to TACACS+, RADIUS, and LDAP interfaces for externally authenticated
environments
NOTE: For more information, see the Application Delivery and Server Load Bal-
ancing Guide (Using External Health Methods section) and the Manage-
ment Access and Security Guide.
SSLi Enhancements
• SSLi Connection Buffering During Certificate Fetching and Forging
page 54
Feedback
SSLi Connection Buffering During Certificate Fetching and Forging

In earlier SSLi deployments for new connections, when a server certificate fetch request was sent to a
server, the incoming new SSLi connection requests to the same server were either bypassed or reset
(based on configuration) till the time the server certificate was forged and ready.
However, this behavior may cause a security breach especially during initial connections when a cache
certificate expired and all subsequent connections were either reset or bypassed till a new forged certif-
icate was ready.
As a solution to this issue, there is a new configuration option available in the client-SSL template where
you are able to buffer all new connections to a server till the time the forged certificate is ready. In case
of an SSLi deployment with OSCP and CRL implemented, the new connections are buffered till a verifi-
cation result response is received from the server.
NOTE: The default option for this SSLi configuration is to bypass all new connec-
tions. Hence, in order to buffer the new connections from a server, the
SSLi connection buffer option must be enabled either through the ACOS
CLI or ACOS GUI.
For the certificate not ready option, the following is the output of the help command, the code in blue is
the latest change.
ACOS_decrypt(config-client ssl)#forward-proxy-cert-not-ready-action ?
bypass bypass the connection(default)
reset reset the connection
intercept wait for cert and then inspect the connection
NOTE: For more information, see SSLi Configration Guide.
Platform Enhancements
• TACACS Server Number Increment and the Limitation
• Known Issues or Limitations
• Scenario
• Important
page 55
FeedbackF
Fee
e
TACACS Server Number Increment and the Limitation

There is a need to increase the limit of the number of the TACACS server from two to three. The
Exchange server has three TACACS servers for their thousands of devices which are functionally
deployed and active with high volume or traffic. These deployed devices are running into the limit of two
servers configured as the maximum number of servers on ACOS. The user experience and traffic are
enhanced once the limit is increased from the current limit of two TACACS servers to three servers or as
an optional number that user can configure.
Known Issues or Limitations

The TACACS monitor needs to be configured to use the most recently used server as the primary
server. The hard limit on the number of the TACACS server is increased to three servers and it starts
behaving with the first configured server as the Active Server and the other remaining two servers as
the Standby Servers. In the eventuality of the request going to the first server, and failing, then the
request is sent to the other two servers, to check, whether if it passes the other servers or not.
Scenario
The scenario of this feature is as the following:
• The first server is considered as the Active Server by Default.
• The second and the third servers are considered as the Standby Servers.
• If the TACACS Server monitor is configured, then;
• The user uses the logic of requests which is sent to the most recently used server.
• If not, then the active server gets the requests by default.
Important
In this scenario, the following are the important points to consider:
• The new CLI or aXAPI changes or corrections must not work in L3V partitions.
• The changes are only applicable in the Shared Partition.
• All the new CLI or aXAPI changes must be device independent.

There were no enhancements introduced in the ACOS 4.1.1-P9 release.
page 56
Feedback

The following enhancements are introduced for ACOS 4.1.1-P8. This section has the following topic:
• Layer 2/3 Routing Enhancements
• SLB Enhancements
• Health Monitor Enhancements
• SSLi Enhancements
• System Log Enhancements
Layer 2/3 Routing Enhancements

• Management Services Command Precedence
Management Services Command Precedence

The ACOS device behavior is clarified for management services such that configuration commands
have precedence over other access methods, including ACLs. This feature does not add or remove CLI
or GUI commands.
The disable-management service command on the management port disables the specified service.
For example, HTTPS service is disabled on the management port with the disable-management service
https command. The service cannot be enabled by an ACL until the disable-management service com-
mand is removed from the configuration.
Telnet service is disabled on the management port and cannot be enabled through any method without
explicitly enabled Telnet through an enable-management service command.
These commands enable Telnet service for IPv4 and IPv6 traffic.
ACOS(config)# enable-management service telnet

ACOS(config-enable-management telnet)# management
ACOS(config-enable-management telnet)#
These commands enable Telnet service for ACL-15 hosts on the management port.
ACOS(config)# enable-management service telnet

ACOS(config-enable-management telnet)# acl-v4 15
ACOS(config-enable-management telnet-acl...)# management
page 57
FeedbackF
Fee
e
ACOS(config-enable-management telnet-acl...)#
SLB Enhancements
The following enhancements are introduced for Server Load Balancing. This section has the following
topic:
• TCP “Loose Close”
TCP “Loose Close”

This feature provides an option to enable closing a client or server connection with a reset (RST) on the
first FIN received from the client or server. This option alleviates the situation where a backend server
receives the client FIN, ACKs the FIN, enters CLOSE_WAIT but does not close the connection (no-FIN
behavior), which can result in a build-up of CLOSE-WAIT sessions and subsequent resource exhaustion
on the server. This is particularly relevant on configurations that default to this no-FIN behavior.
This feature is enabled through the reset-follow-command, which is available through the SLB TCP tem-
plate.
ACOS(config)# slb template TCP TCP-TEMP

ACOS(config-l4 tcp)# reset-follow-fin
ACOS(config-l4 tcp)#
Health Monitor Enhancements

The following enhancements are introduced for Health Monitor. This section has the following topics:
• Compound Health Monitor Bound to Service-group with DSCP
• Health Monitor UP and DOWN Statuses
Compound Health Monitor Bound to Service-group with DSCP

The ACOS device supports compound health monitors for service groups bound to ports that imple-
ment DSR (Direct Server Return). This feature supports L2 DSR configurations and both types of L3 DSR
configurations (dscp and ipinip). The GUI and CLI are not affected by this change.
Previously, when a health check is initiated for a sub-monitor within a compound health monitor, ACOS
translates it to the port found in the service-group to vport binding, not the override-port meant for the
actual sub-monitor. This feature programs ACOS to lookup the actual sub-monitor to use when translat-
ing this packet for DSR health check.
page 58
Feedback
Feature limitations include 1) the compound health monitor must be bound to the service group, not
directly to the real server or real server port; and 2) to perform DSR health checks utilizing compound
monitors upon multiple VIPs, a different service group must be utilized by each DSR VIP.
Health Monitor UP and DOWN Statuses

This feature modifies two show commands to the CLI that display Health Monitor status and the reason
that the status is UP or DOWN. Previously, obtaining this information required entering two CLI com-
mands.
• The show health stat command output is modified such that the summary table includes a col-
umn for Reason (UP/DOWN):
ACOS# show health stat
Health monitor statistics
Total run time: : 0 hours 29 minutes 14 seconds
Number of burst: : 0
max scan jiffie: : 5
min scan jiffie: : 1
average scan jiffie: : 2
Opened socket: : 3547
Open socket failed: : 0
Close socket: : 3542
Connect failed: : 0
Send packet: : 3054
Send packet failed: : 0
Receive packet: : 2355
Receive packet failed: : 348
Retry times: : 263
Timeout: : 350
Unexpected error: : 0
Conn Immediate Success: : 0
Socket closed before l7: : 0
Socket closed without fd notify: : 0
Configured health-check rate(/500ms) : Auto configured
Current health-check rate(/500ms) : 4
External health-check max rate(/200ms) : 2
Total number: : 15
Status UP: : 10
Status DOWN: : 5
Status UNKN: : 0
Status OTHER: : 0
IP address Port Health monitor Status Cause(Up/Down) Reason(Up/Down) Retry

PIN
--------------------------------------------------------------------------------------------------------
-----------
20.20.15.8 default UP 11 /0 @0 ICMP Receive OK 0
0 /0 0
0 /0 0
2003::11:11:11:10 default UP 12 /0 @0 ICMPv6 OK 1
0 /0 0
0 /0 0
20.20.15.15 default DOWN 0 /48 @8 ICMP Receive Error 0
0 /0 0
20.20.15.8 80 default UP 20 /0 @0 TCP Verify Connection OK 0
0 /0 0
90.90.90.20 80 default UP 20 /0 @0 TCP Verify Connection OK 0
0 /0 0
90.90.90.20 53 default UP 24 /0 @0 UDP No Response 262
2 /0 0
20.20.15.9 443 https-rsa UP 10 /0 @0 HTTP Status Code OK 0
0 /0 0
2003::11:11:11:10 80 default UP 20 /0 @0 TCP Verify Connection OK 0
0 /0 0
page 59
FeedbackF
Fee
e
2003::11:11:11:10 80 tcp-halfopen UP 22 /0 @0 TCP Half Connection OK 0

0 /0 0
20.20.15.8 3389 default DOWN 0 /82 @3 TCP Port Closed 0
0 /0 0
20.20.15.8 5060 default DOWN 0 /82 @3 TCP Port Closed 0
0 /0 0
20.20.15.8 5060 default DOWN 0 /90 @8 UDP No Service 0
0 /0 0
20.20.15.8 143 imap2 DOWN 0 /82 @3 TCP Port Closed 0
0 /0 0
ACOS#
• The show health monitor <name> command is modified to include the UP (or DOWN) reason:
ACOS# show health monitor http2
Monitor Name: http2
Interval: 5
Max Retry: 3
Timeout: 5
Up-Retry: 1
Status: In use
Method: HTTP
Attribute: port=80
url="GET /"
Health-check:
--------------------------------------------------------
Up reason: HTTP Status Code OK
Monitor name: http2
Method: HTTP
Attribute: port=80
url="GET /"
Wait for HTTP response:False
L4 conn made: 8764
L4 errors: 0
Health-check average RTT (us):10333
Health-check current RTT (us):11620
Health-check average TCP RTT (us):5002
Health-check current TCP RTT (us):7620
Status code received: 200
HTTP requests sent: 8764
HTTP errors: 0
Received OK: 8764
Received error: 0
Response timeout: 0
--------------------------------------------------------
Service information:
Service: s3(20.20.15.11):80 UP HTTP Status Code OK
ACOS#
SSLi Enhancements
The following enhancements are introduced for SSLi. This section has the following topics:
• Support for SSH Insight
• Support for SSLi Exception Lists Based on Certificate Subject or Issuer
• IP-less SSLI OCSP request support for Layer-2 mode
• Friendly Response Block/Failure Page for SSLi
• SSLi - ICAP Only send allowed HTTP methods logs
page 60
Feedback
• Support for Revoking Certificate From the Cache and Generating CRL
• Support for Dropping, Rejecting, or Forwarding Connections Based on EKU Fields for Certificates
Support for SSH Insight

ACOS provides support for intercepting, decrypting, and re-encrypting Secure Shell (SSH) sessions. Only
static port SSH Insight (SSHi) with RSA keys is supported in this release. The purpose of the SSH Insight
(SSHi) feature is to transparently intercept and decrypt SSH traffic so that it can be inspected for secu-
rity reasons, and then re-encrypt the traffic before forwarding it to the SSH server.
NOTE: The user can configure this feature by using either the ACOS GUI or CLI.
For more information, see SSL Insight Configuration Guide.
Support for SSLi Exception Lists Based on Certificate Subject or Issuer

The forward-proxy-bypass command enables configuring of rules that determine if a packet is to be
bypassed based on the configured criteria. The exception class list is used to decide if a packet passing
through an SSLi solution is to be inspected even if forward proxy bypass is configured. For example, a
rule can be configured to bypass inspection of all financial services. However, using an exception-
class-list option, it is possible to inspect packets from specific financial services.
In running earlier ACOS releases, exception lists based on Server Name Indication (SNI) is supported. An
AC class list is defined to match the SNI in an SSL client hello message to decide whether to bypass or
inspect a packet in an SSLi setup. This feature is now extended to support exception lists that include
elements such as IP addresses, SNIs, and matching certificate subject or issuer for all cipher suites.
Cipher suites must be validated against an appropriate RFC or NIST standard. Unless this new option is
configured, by default, the SNI in the client-hello message is used for deciding bypass or inspection.
NOTE: The user can configure this feature by using either the ACOS GUI or CLI.
For more information, see SSL Insight Configuration Guide.
IP-less SSLI OCSP request support for Layer-2 mode

In earlier ACOS releases, SVM NAT pool was configured to fetch OCSP and CRL requests. However, this
ACOS release also supports using the client IP address to fetch OCSP and CRL requests. This enables
the ACOS deployment to be used across different hardware systems as there is no requirement to con-
figure an IP address for OCSP and CRL requests. This feature is supported for IP-less Layer-2 SSLi.
Additionally, this feature is only applicable for static and dynamic SSLi. The SSLi virtual port does not
support this feature.
In order to resolve the OCSP and CRL URLs, the ip dns primary configuration in the shared partition
must be set. The ip dns primary configuration is required in the shared partition if the ACOS encrypt
and ACOS decrypt zones are in private partitions as it is a global configuration. The route for ip dns
primary must also be configured as the default gateway of the management IP.
page 61
FeedbackF
Fee
e
For the legacy SSLi L3V configuration, the dynamic-service template is configured under the virtual
port. However, this configuration is not required for IP-less OCSP and CRL requests. The dynamic-ser-
vice template must have IP addresses configured for sending out packets that do not work for this fea-
ture. If there is an slb svm-source-nat pool configured, use the NAT pool IP instead of the client IP to
fetch OCSP and CRL requests.
NOTE: For more information, see SSL Insight Configuration Guide.
Support for IP-less Single Partition SSLi

Earlier ACOS releases supporting SSLi in a single partition required the server to be a valid server. An IP
address was required for the interfaces so that a health check could be performed and the next hop
entries for the real server configured. In this release, ACOS supports configuring a dummy server for sin-
gle partition SSLi solutions. The details on the L2 traffic is used to forward the packet. Hence, the IP-less
single partition SSLi solution works in a Layer-2 mode.
The following are the important configuration guidelines:
• Specify the correct outgoing port on the dummy MAC entry with the command: mac-address
mac_address port port_number vlan vlan_id redirect-dummy-mac
• The port and vlan mentioned in the dummy MAC configuration must be must be on the gateway.
The vlan is only for configuration. The client vlan is preserved while forwarding packets to the
gateway.
• Configure use-rcv-hop-for-resp under the virtual ports as this decides the client side network
ports.
NOTE: For more information, see SSL Insight Configuration Guide.
Friendly Response Block/Failure Page for SSLi

• Details
• CLI Configuration Commands
• GUI Configuration
Details
A new SSLi status page is displayed when the traffic is blocked with the following details Customized
information can be included for the ACOS administrator to track the issue:
• Decryption failure - All certificate responses that return a generic HTTP error have an IT policy.
A level of detail to determine if it was a certificate blocked, or handshake failing. A web server
page 62
Feedback
instance on ACOS redirects the user for the custom messages. A log message is generated with
the reason.
• Connection drop- A warning page provides information regarding the SSLi failure when a
connection is dropped.
• OCSP blocks for revoked or non-trusted certificates - This is also available for URL filter-
ing. If a user is blocked from a category or class-list, within the URL filtering policy, level of cus-
tomization is provided to the returned response.
• Corporate policy section.
CLI Configuration Commands
To configure a custom message for the three forward-proxy “action” commands, use the new
option called “block”:
ACOS(config)# forward-proxy-cert-revoke-action block

ACOS(config)# forward-proxy-cert-unknown-action block
ACOS(config)# forward-proxy-verify-cert-fail-action block
To configure “block” custom message applicable to the above 3 commands configured with forward
proxy, use:
ACOS(config)# forward-proxy-block-message "my common msg"
GUI Configuration
A friendly SSLi status page is displayed so that the users can see that data traffic is blocked.
SSLi - ICAP Only send allowed HTTP methods logs

• Details
• CLI Configuration
Details
ACOS provides option to enable or disable the default behavior for ICAP logging. The default behavior is
to send a log for all methods to system log. This allows logging of system actions to send traffic to the
ICAP server(s) for all HTTP/HTTPS methods. Option is provided to send the PUT and POST method to
ICAP with the ' allowed-http-methods “PUT POST” or to send all method logs.
page 63
FeedbackF
Fee
e
CLI Configuration
The new option can be configured to change the default behavior from all methods to only send logs for
the methods defined with the ' allowed-http-methods ' command, the option log-only-allowed-method
only HTTP method is logged in the “Request Mode” or “Response Mode” ICAP templates.
• Under reqmod-icap template:
AX2500(config)#slb template reqmod-icap req

AX2500(config-reqmod-icap)#log-only-allowed-method
Only log allowed HTTP method
• Under respmod-icap template
AX2500(config)#slb template respmod-icap resp

AX2500(config-respmod-icap)#log-only-allowed-method
Only log allowed HTTP method
• CLI SLB template configuration example:
slb template reqmod-icap req

allowed-http-methods "GET PUT POST"
include-protocol-in-uri
min-payload-size 2000
preview 1
service-url icap://daniel:1344/req
service-group icap
template logging log-template
log-only-allowed-method
!
slb template respmod-icap resp
include-protocol-in-uri
fail-close
min-payload-size 5000
service-url icap://daniel:1344/resp
service-group icap
template logging log-template
log-only-allowed-method
This option is also available in aFlex to be used with the CATEGORY command and the ICAP disable, for
advanced ICAP filtering.
page 64
Feedback
NOTE: For more information, see aFlex Scripting Language Reference Document.
Support for Revoking Certificate From the Cache and Generating CRL
ACOS supports revoking certificates generated by SSLi if the certificates are leaked. Revoked
certificates are identified by their serial numbers. If a certificate is revoked from the cache, a CRL is gen-
erated and provided to the clients connected to SSLi providing information about the revoked
certificates.
The following is some important information regarding revoked certificates:
• A certificate, if revoked, cannot be restored.
• When the CRL is generated, the list is read, put into CRL format, and signed by using the forward-
proxy-ca-key.
• The CRL is generated manually and then exported to a location reachable by the clients.
NOTE: You can configure this feature by using either the ACOS GUI or CLI. For
more information, see SSL Insight Configuration Guide.
Support for Dropping, Rejecting, or Forwarding Connections Based on EKU Fields for
Certificates
ACOS supports granting or denying access to an SSL site based on certificate Extended Key Usage
(EKU) fields defined in RFC-5280. Connections can be dropped, rejected, or forwarded based on the
value of extended fields such as code signing or mutual authentication in the certificate representing
the Internet server to the internal clients.
NOTE: For more information, see aFlex Scripting Language Reference Document.
System Log Enhancements

The following enhancement is introduced for system logging. This section has the following topic:
• System Local Log Limit
System Local Log Limit

The CLI layout for show local log database all is updated with option to limit the number of lines to
display from 0 to 10000 lines.
AX2600#show local-log database all ?
page 65
FeedbackF
Fee
e
limit Number of lines to display. (default: 3000)

| Output modifiers
<cr>
AX2600#show local-log database all limit ?
<0-10000> Number of lines to display. (default: 3000)
AX2600#show local-log database all limit 0

The following enhancements are introduced for ACOS 4.1.1-P7.
• String Length for TCP Health Monitors Increased to 512 Characters
• Support for HTTP 1.1 for OCSP Requests
String Length for TCP Health Monitors Increased to 512 Characters

The allowed character string length for custom TCP health monitors is increased to 512 characters.
(Issue ID 417800)
Support for HTTP 1.1 for OCSP Requests

In previous releases, the ACOS device sent OCSP requests without the host in the HTTP header. Some
OCSP servers would deny OCSP request that did not have the host header. To support this new require-
ment, this release allows users to enable HTTP version 1.1 for OCSP requests, which will enable ACOS
to include the missing HTTP header in OCSP requests. (Issue ID 412937)
The following example shows that the AAM configuration is changed to HTTP version 1.1:
ACOS(config)# show run aam

aam authentication server ocsp ocsp1
url http://1.2.3.4:8080/
responder-ca AD03-CA-root
aam authentication server ocsp ocsp2
url http://www.a10networks.com/
http-version 1.1
page 66
Feedback

The following enhancements are introduced for ACOS 4.1.1-P6.
• Log Message for Service Group Member Activity
• Support for TCP MSS Clamping on Gi-FW Sessions
• Support for Disabling ICAP Based on HTTP Header Using afleX
• Support for Web Category Lookup using aFleX
• Support for New Interface Types for ip mgmt-traffic
• High Availability Migration Support
• Support for SSLi Forward Proxy Bypass Exception List
Log Message for Service Group Member Activity

This feature generates log messages when a service-group member is disabled (with the disabled or
disable-with-health-check commands) or disabled. These events also generate SNMP traps. Log mes-
sages are currently generated when server status changes (marked up or down) as the result of pass-
ing or failing a health check.
NOTE: For more information, see the “enable”, “disable”, and “disable-with-
health-check” commands in the “Config: Commands: SLB Servers” chap-
ter of the Command Line Interface Reference for ADC.
Support for TCP MSS Clamping on Gi-FW Sessions

The Maximum Transmission Unit (MTU) of an Ethernet interface is set at 1500 bytes. Out of the 1500
bytes of the IP packet, some portion is TCP/IP header information, while the rest is the actual data to be
transmitted. However, not all points in the network path may support an MTU of 1500; issues such as
slow performance and unexpected packet drops may occur if some parts of the network have an MTU
of less than 1500 bytes.
Path MTU Discovery (PMTUD) is a process that calculates the ideal MTU in such a network path so that
IP fragmentation does not occur. PMTUD works with the help of ICMP or ICMPv6 messages between
various points in the network and source, so that the source and destination may converge upon an
optimum MTU value. This convergence ensures packet fragmentation along the network path does not
occur. However, PMTUD may not work correctly in some networks, as many security devices block the
ICMP messages.
In such circumstances, a workaround is to use maximum segment size (MSS) clamping. In MSS
clamping, the source and the destination are configured with a lower MTU than that of 1500 bytes. TCP
MSS clamping is supported on Gi-FW.
page 67
FeedbackF
Fee
e
MTU of the network = MSS + Size of TCP-IP Headers
Use the ACOS CLI to set the maximum and minimum TCP MSS values, as well as the value to subtract
from the configured maximum MSS value, if the configured MSS value exceeds the MTU of the
network.
NOTE: For the CGN sessions that are based on CGN rules, see the CLI command
cgnv6 tcp mss-clamp to configure MSS clamping. For more information
about the command syntax, see Command Line Interface Reference for
CGN Guide.
You can use the ACOS CLI to set the maximum, minimum, and subtracted TCP MSS values.
ACOS(config)#fw tcp mss-clamp fixed ?

<0-1460> The max value allowed for the TCP MSS (default: not configured)}
ACOS(config)#fw tcp mss-clamp fixed 500 ?
<cr>
ACOS(config)#fw tcp mss-clamp fixed 500
ACOS(config)#fw tcp mss-clamp subtract ?
<0-1460> Specify the value to subtract from the TCP MSS (default: not configured)
ACOS(config)#fw tcp mss-clamp subtract 500 ?
min Specify the min value allowed for the TCP MSS
<cr>
ACOS(config)#fw tcp mss-clamp subtract 500 min
ACOS(config)#fw tcp mss-clamp subtract 500 min ?
<0-1460> Specify the min value allowed for the TCP MSS (default: ((576 - 60 - 60)))
ACOS(config)#fw tcp mss-clamp subtract 500 min 480 ?
<cr>
ACOS(config)#fw tcp mss-clamp subtract 500 min 480
Support for Disabling ICAP Based on HTTP Header Using afleX

The ICAP feature can be enabled by binding the template under virtual-port. With this feature, you now
have the flexibility to disable ICAP for certain requests, based on the HTTP headers.
The afleX command for disabling ICAP for current HTTP flow is as follows:
Syntax: ICAP::disable
If ICAP::disable is executed, ICAP process for the current request is disabled. For subsequent requests
in the same session, ICAP will still be enabled.
page 68
Feedback
aFleX has highest precedence over other configuration features, so if the aFleX ICAP::disable com-
mand is executed for the current request, none of other features can re-enable ICAP.
The supported events are as follows:
• HTTP_REQUEST
• HTTP_RESPONSE
The supported vports are as follows:
• HTTP
• HTTPS
Example Configuration:
when HTTP_REQUEST {
set method [HTTP::method]
if { ($method matches "POST")
or ($method matches "PUT") } {
return // follow the ICAP policy configured with CLI
} else {
ICAP::disable // disable ICAP template policy
}
}
Support for Web Category Lookup using aFleX

Web Category is a dynamic web category classification service. You can now configure ACOS to take
action based on client request using web category with the following aFleX command:
Syntax: CATEGORY::lookup
Valid Events:
• All HTTP events
• All AAM events
Input:
The input is one parameter. URL
Output:
The output is category in TCL object list.
page 69
FeedbackF
Fee
e
The possible values returned by the Category:lookup API is as follows:
abortion
adult-and-pornography
alcohol-and-tobacco
auctions
bot-nets
business-and-economy
cdns
cheating
computer-and-internet-info
computer-and-internet-security
confirmed-spam-sources
cult-and-occult
dating
dead-sites
drugs
dynamic-comment
educational-institutions
entertainment-and-arts
fashion-and-beauty
financial-services
food-and-dining
gambling
games
government
gross
hacking
hate-and-racism
health-and-medicine
home-and-garden
hunting-and-fishing
illegal
image-and-video-search
internet-communications
internet-portals
job-search
keyloggers-and-monitoring
kids
legal
local-information
malware-sites
marijuana
page 70
Feedback
military
motor-vehicles
music
news-and-media
nudity
online-greeting-cards
open-http-proxies
parked-domains
pay-to-surf
peer-to-peer
personal-sites-and-blogs
personal-storage
philosophy-and-politics
phishing-and-other-fraud
private-ip-addresses
proxy-avoid-and-anonymizers
questionable
real-estate
recreation-and-hobbies
reference-and-research
religion
sampling-enable
search-engines
sex-education
shareware-and-freeware
shopping
social-network
society
spam-urls
sports
spyware-and-adware
stock-advice-and-tools
streaming-media
swimsuits-and-intimate-apparel
training-and-tools
translation
travel
uncategorized
unconfirmed-spam-sources
violence
weapons
web-advertisements
web-based-email
web-hosting-sites
page 71
FeedbackF
Fee
e
Sample Configuration
The following configuration is to allow only POST and PUT methods. For these methods ICAP is dis-
abled for the matching category or class-list.
The last section of the configuration is looking for the signal header on port 80, for the decrypted traffic.
when HTTP_REQUEST {
set method [HTTP::method]
set icap_disable 0
if { not ( $method equals "POST" or $method equals "PUT" ) } {
log " method is $method"
set icap_disable 1
} elseif { $method equals "POST" or $method equals "PUT" } {
set ctg [CATEGORY::lookup [HTTP::host]]
log "check category $ctg"
if { $ctg contains "personal-storage" or $ctg contains "personal-
sites-and-blogs" } {
log " category match"
set icap_disable 1
} elseif { [CLASS::match [HTTP::host] equals Bypass_Class_List] } {
log " host match ICAP disable"
set icap_disable 1
}
}
if { $icap_disable } {
log "icap_disable set to $icap_disable"
ICAP::disable
}
}
Support for New Interface Types for ip mgmt-traffic

The following interfaces can be configured as the source interface for all the management services
using the ip mgmt-traffic service source-interface command:
• ethernet
• lif
• loopback
• trunk
page 72
Feedback
• tunnel
• ve
The IP address on the configured interface is used as the source IP address when the service is initiated
from ACOS. The use-mgmt-port option with management services uses the source IP address config-
ured in the ip mgmt-traffic service source-interface command. IPv6 is not supported for the ip
mgmt-traffic service source-interface command.
NOTE: For more information on syntax and usage guidelines for the command,
see CLI Reference Guide.
High Availability Migration Support

When ACOS 2.7.x is upgraded to 4.1.1-P6 or later and contains existing High Availability configuration,
this configuration will be automatically updated with the equivalent VRRP-A configuration. This automa-
tion replaces the existing vrrp-a ha migration command.
The following Table 3 shows the legacy HA commands and their VRRP-A equivalents that occur during
this automated upgrade process.
NOTE: Many of the VRRP-A commands are further changed in the ACOS 4.x
releases and are no longer the same as their legacy 2.7.x or 2.8.x equiva-
lents; this migration is performed by the ACOS 4.x migration script.
TABLE 3 Actual HA to VRRP-A Conversion

HA VRRP-A
ha id {1|2} [set-id num] vrrp-a set-id num
ha group id num priority num vrrp-a vrid num
priority num
ha arp-retry num vrrp-a arp-retry num
ha conn-mirror ip ipaddr IP address is learned automatically
ha force-self-standby HA-group-id num vrrp-a force-self-standby-persistent vrid
persistent num
ha forward-l4-packet-on-standby vrrp-a common
forward-l4-packet-on-standby
ha inline-mode vrrp-a common
inline-mode
ha l3-inline-mode vrrp-a l3-inline-mode
ha interface ethernet port-num vrrp-a interface ethernet port-num
ha link-event-delay num vrrp-a common
track-event-delay num
ha ospf-inline vlan vlan-id vrrpa-a ospf-inline vlan vlan-id
ha restart-port-list ethernet num vrrp-a restart-port-list
ethernet num
page 73
FeedbackF
Fee
e
TABLE 3 Actual HA to VRRP-A Conversion

HA VRRP-A
ha restart-time 100-msec-units vrrp-a common
restart-time 100-msec-units
ha time-interval 100-ms-units vrrp-a common
hello-interval 100-ms-units
ha timeout-retry-count num vrrp-a common
dead-timer num
ha check gateway ipaddr gateway ipaddr priority-cost default
ha check vlan vlan-id timeout seconds tracking-options
vlan vlan-id timeout seconds
ha check route prefix /mask This appears under tracking-options:
priority-cost weight
route prefix /mask priority-cost weight
[gateway ip ipaddr | ipv6 ipv6addr] [gateway ipaddr | ipv6addr]
[protocol {static | dynamic}] [protocol {static | dynamic}]
[distance num] [distance num]
Support for SSLi Forward Proxy Bypass Exception List

For an ACOS device configured as an SSLi device, web-category is configured to bypass a set of
domains under a specific category. However, in some circumstances there is a requirement to intercept
a few domains under these categories while bypassing everything else. For example, web-category can
be configured to bypass all financial domains. However, there may be a requirement to intercept exam-
plebank.com. In such a circumstance, use the Forward Proxy Bypass exception list to include exam-
plebank.com as an exception. Any entry present in the exception list is intercepted irrespective of the
settings configured for the Forward Proxy Bypass feature.
Some important information for configuring the exception list include:
• The feature is applicable to a licensed SSLi device only.
• If using web-category module, web-category license must also be installed.
• The exception class-list does not apply to forward-proxy-bypass client-auth as this is used for cli-
ent authorization to go through.
• Web-category is not supported for client-auth bypass.
• Exception class-list must be of AC type class-list.
• Only one exception class-list can be bound to client-ssl template.
• The SNI extension must be present in the client hello message. If the SNI extension is not present,
the connection is intercepted by default.
• You can configure the exception list by using the CLI.
Use the following CLI command to set up the exception list:
page 74
Feedback
ACOS(config-client ssl)#forward-proxy-bypass ?
equals Forward proxy bypass if SNI string equals another string
exception-class-list Exceptions to forward-proxy-bypass
starts-with Forward proxy bypass if SNI string starts with another string
The following configuration example is of an SSLi deployment that bypasses interception of all search
engines except google, espn, and bing. Since the precedence for the bypass exception list is higher,
espn is intercepted although it is configured for both forward proxy bypass and as a member of the
exception list. The code highlighted in blue is an example of the SSLi Forward Proxy Bypass Exception
List feature.
class-list dest ac
contains bing
contains google
contains espn
slb template client-ssl client

forward-proxy-ca-cert AD03-CA
forward-proxy-ca-key AD03-CA
forward-proxy-enable
forward-proxy-failsafe-disable
forward-proxy-source-nat pool snat2
forward-proxy-bypass exception-class-list dest
forward-proxy-bypass contains espn
forward-proxy-bypass web-category search-engines
slb virtual-server wildcard 0.0.0.0 acl 100

port 0 others
service-group outside_tcp
use-rcv-hop-for-resp
no-dest-nat
port 0 tcp
service-group outside_tcp
no-dest-nat
port 0 udp
service-group outside_udp
no-dest-nat
port 443 https
source-nat pool snat2
service-group outside_http8080
template client-ssl client
page 75
FeedbackF
Fee
e
no-dest-nat port-translation

NOTE: There were no enhancements introduced in ACOS 4.1.1-P5.

The following enhancements are introduced in ACOS 4.1.1-P4:
• Harmony Controller Enhancements
• Configuration Manager Enhancements
• GUI Enhancements
• Licensing Enhancements
• Network Management System Enhancements
• SSL Insight (SSLi) Enhancements
Harmony Controller Enhancements

The following topics are covered in this section:
• Ongoing Sync for Objects and Devices
• Object Registration for ADC or CGN
• Thunder Device Registration
• Telemetry for ADC Metrics Generation to Kafka/Avro
• Telemetry for Object UUID Sync on Thunder Clusters
NOTE: For more information about any of the following A10 Harmony Controller
enhancements, see the A10 Harmony Controller Integration Guide.
page 76
Feedback
Ongoing Sync for Objects and Devices

This release supports the ability to perform automatic synchronization, by pushing configuration
changes from the managed Thunder devices to the Harmony Controller.
Object Registration for ADC or CGN

The release supports registration of ADC and CGN objects. For example, during registration, the follow-
ing is a partial list of objects that are synchronized between the Thunder managed devices and the A10
Harmony Controller: virtual servers, service groups, server ports, and so on
Object registration in this release is focused on analytics. Therefore, only the “top names”, “keys” and
similar data are sent to the A10 Harmony Controller, but device config information is not sent to the
controller.
Thunder Device Registration

The release supports registration of the Thunder device with the A10 Harmony controller. During the
registration, the managed device pushes information for users, partitions and roles to the controller.
Telemetry for ADC Metrics Generation to Kafka/Avro

As part of the A10 Harmony Controller integration with Thunder ADC and CGN devices, this release sup-
ports Apache Avro for use as an encoding format for Data Plane logs. This encoding format will be used
widely in various telemetry exports from the Thunder ADC to the controller.
Telemetry for Object UUID Sync on Thunder Clusters

For HA and VCS configurations, objects are often replicated across multiple devices. To support inte-
gration with the A10 Harmony Controller, this release supports the ability for these objects to have the
same UUID.
Configuration Manager Enhancements

• Providing Valid JSON Response on Successful API Upgrade
• New SNMP Object for Firewall Global Statistics
• New SNMP Object for Firewall Full-Cone Sessions
• New SNMP Object for Firewall System Status
page 77
FeedbackF
Fee
e
Providing Valid JSON Response on Successful API Upgrade

Upgrade using aXAPI is changed from a blocking way to a non-blocking way. Previously, the response
to a successful upgrade using aXAPI was an HTTP 204 (empty) response. Now, the upgrade aXAPI
request provides the following 202 (accept) response with a JSON body showing that the command
was successfully accepted to process.
HTTP status 202

{
"response": {
"status": "OK",
"msg": "The upgrade request has been received."
}
}
If an upgrade is already in progress, an HTTP 409 (not accept because of conflict) response is returned
with the following JSON body:
{
"response": {
"status": "fail",
"err": {
"code": 520734987,
"from": "BACKEND",
"msg": "Another upgrade process exists."
}
}
}
For all the other errors such as disk full error, incorrect image error, and so on, an HTTP 202 response is
returned.
Use /axapi/v3/system/upgrade-status/oper to check the aXAPI upgrade status after the receiving the
accept response.
New SNMP Object for Firewall Global Statistics

The acosFwGlobal object is added to return firewall statistics.
The OID for this object is.1.3.6.1.4.1.22610.2.4.10.139.7.
New SNMP Object for Firewall Full-Cone Sessions

The acosFwFullConeSession object is added to return the details for firewall full-cone sessions.
page 78
Feedback
The OID for this object is .1.3.6.1.4.1.22610.2.4.11.139.16.
New SNMP Object for Firewall System Status

The acosFwSystemStatus object is added to return the firewall system status.
The OID for this object is .1.3.6.1.4.1.22610.2.4.11.139.18.
GUI Enhancements
• Single Sign-on Support from Harmony Controller GUI to the Thunder ADC GUI
• SSL Version Filtering for SSLi Through GUI
• Harmony Controller Registration Through GUI
Single Sign-on Support from Harmony Controller GUI to the Thunder ADC GUI
Once registered and logged into the Harmony Controller GUI, the Harmony Controller generates a
secure and signed JSON token that enables you to access the Thunder ADC GUI without a second sign
on.
SSL Version Filtering for SSLi Through GUI

SSL/TLS version configuration for SSLi through the GUI is available through Security >> SSLi and ADC
>> Template when configuring a Client SSL template.
Harmony Controller Registration Through GUI

Harmony controller registration configuration through the GUI is available. Navigate to System
>>Admin and click Controller to access this page.
Licensing Enhancements
The following topic is covered in this section:
• Capacity Pool License Model for vThunder and Bare Metal
Capacity Pool License Model for vThunder and Bare Metal

The capacity pool license model enables you to subscribe to a specific bandwidth pool called the
capacity pool on Global License Manager (GLM), with an additional option of automatically renewing
page 79
FeedbackF
Fee
e
your license before the license expiry date. Unlike previous license models supported by A10 Networks,
capacity pool license is not node locked. You can configure multiple ACOS devices to share bandwidth
from the common license pool. You can also upgrade or downgrade the capacity of the pool without
disrupting service to your ACOS devices. Additionally, if an ACOS device does not require the assigned
bandwidth, the device has an option to return the bandwidth to the pool. An ACOS device can also
request for more bandwidth from the capacity pool. You can apply a license to an ACOS device for
capacity pool bandwidth by using any of the following methods:
• Using the ACOS CLI
• Importing the License from GLM
• Using VM Cloning
• Using the aXAPI Management
• Using the Cloud-Init Method
NOTE: Capacity pool license commands may be available for your ACOS device.
However, the feature is currently supported for vThunder and Bare Metal
devices running the ACOS version 4.1.1-P4 or later. These ACOS devices
can run any supported ACOS appliance such as Application Delivery Con-
troller (ADC), Carrier Grade NAT (CGN), and Convergent Firewall (CFW).
For all other A10 devices, the feature is included for evaluation purposes
and not intended to be deployed in a production environment.
NOTE: For more information about the capacity pool license, see the Capacity
Pool License User Guide.
page 80
Feedback
Network Management System Enhancements

• Clearing Unused Real Server Ports
Clearing Unused Real Server Ports

This feature adds the clear slb unused-server-ports command, which deletes real server ports that
are not assigned to at least one service group. The command is available in shared and private parti-
tions.
See the Clearing Unused Real Server Ports section in the Application Delivery and Server Load Balancing
Guide and the clear slb unused-server-ports command description in the Command Line Interface
Reference for ADC for the detailed information.
SSL Insight (SSLi) Enhancements

• Dynamic Port Inspection Based on DSCP
Dynamic Port Inspection Based on DSCP

You can set the DSCP for decrypted and bypassed traffic by using the forward-proxy-decrypted dscp
command without changing service groups. The configured DSCP is applied to the IP header of the
decrypted or bypassed traffic. If the service group has a template with DSCP configured, this forward
proxy command takes precedence.
The syntax of the command is as follows:
ACOS(config)#slb template client-ssl ssli

ACOS(config-client ssl)#forward-proxy-decrypted dscp ?
<1-63> DSCP to apply to decrypted traffic
ACOS(config-client ssl)#forward-proxy-decrypted dscp 6 ?
<1-63> DSCP to apply to bypassed traffic
ACOS(config-client ssl)#forward-proxy-decrypted dscp 6 4
NOTE: For more information on the command, see the ACOS 4.1.1-P4 Command
Line Interface Reference for SLB Guide.
page 81
FeedbackF
Fee
e
NOTE: For a configuration example based on this command, see the ACOS
4.1.1-P4 SSLi User Guide.

• FIPS 140-2 Level 2 Enhancements
• Security Enhancements

• L2 Insertion Single-partition SSLi Deployments
• Dynamic Port SSLi without A10-FP Header
L2 Insertion Single-partition SSLi Deployments

The types of L2 deployment configurations that single-partition single-device SSLi support are
enhanced in this release. A single-device SSLi appliance in L2 mode requires minimal or no change to
the existing network. The single-device SSLi appliance has two logical end points. The SSLi_in endpoint
is for decryption and the SSLi_out endpoint is for re-encryption. The updated deployment examples for
the single-device SSLi appliance include the following:
• L2 deployment with untagged ports
• L2 deployment with tagged ports
Both the deployment examples are partition independent and can be deployed with or without L3V par-
titions. Additionally, both deployment examples require at least one IP address for the internal configu-
ration. For more information, see SSL Insight Configuration Guide.
Dynamic Port SSLi without A10-FP Header

In this release, the ACOS SSLi processes are enhanced to include support for dynamic-port single-
device two-partition SSLi. Dynamic-port SSLi requires proprietary messaging to relay SNI information
from the inside SSLi virtual service to the outside SSLi virtual service. This messaging may interfere with
the operation of some inspection devices that are used to intercept and inspect decrypted traffic. To
page 82
Feedback
relay SNI information without the interfering message (A10-FP header), run the following commands on
the shared partition:
ACOS(config)# slb common
ACOS(config-common)# ssli-sni-hash-enable
NOTE: If this feature is enabled for two-device dynamic port deployment, or the
security device modifies the IP address or port number, the outside SSLi
virtual service does not include the SNI information.
FIPS 140-2 Level 2 Enhancements

• Support for FIPS Level 2
Support for FIPS Level 2

This release supports FIPS 140-2 for Security Level 2 for a selected set of A10 Thunder platforms and
related ACOS enhancements to comply with FIP Level 2.
NOTE: For further guidance on A10 products and their support for FIPS Level 2,
see the “FIPS Support” chapter in the System Configuration and Adminis-
tration Guide.
Security Enhancements
• ECDHE and ECDSA Cipher Suite Support for FIPS Platforms
ECDHE and ECDSA Cipher Suite Support for FIPS Platforms

The following cipher suites are now supported for the FIPS platform.
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
page 83
FeedbackF
Fee
e
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

• Application Access Management (AAM) Enhancements
• Configuration Management Enhancements
• Application Delivery Controller (ADC) Enhancements
• GiFW Enhancements
• IPv6 Migration (CGN) Enhancements
• Layer 2/3 Routing Enhancements
• Security Enhancements
• Monitoring Enhancements
• Platform Enhancements
• Cloud Enhancements
• Web Application Firewall (WAF) Enhancements
• FIPS 140-2 Level 2 Enhancements
Application Access Management (AAM) Enhancements

• Maximum Form-based Relay Collection Size Command
• Clear Reverse DNS Cache Command
• RSA Custom Challenge Form
page 84
Feedback
Maximum Form-based Relay Collection Size Command

A new CLI command, max-packet-collect-size, is added under aam authentication relay form-based
that to specify the number of bytes reserved for response packet collection.
Clear Reverse DNS Cache Command

A new CLI command, clear aam authentication rdns, is added in the privileged exec mode to allow
users to clear the reverse DNS cache from the ACOS AAM authentication cache table.
RSA Custom Challenge Form

In this release of ACOS, new CLI commands and GUI fields are added that enable users to customize
the challenge response form clients can receive in when being authenticated by an RSA 8.1 server. This
particular custom challenge is sent to the client when the RSA server is asking for a new PIN.
NOTE: The authentication method can be either form-based or HTTP; that is aam
authentication logon form-based or aam authentication logon http-
authenticate.
CLI Changes
Four existing CLI commands are modified and one command is entirely new:
• Under the aam authentication logon http-authenticate command, the auth-method basic
challenge-response-form sub-command is enhanced by the addition of “challenge-page page-
name challenge-variable variable-name” parameters in the command syntax. The new fields in
this command apply the custom challenge form to the authentication method named in this com-
mand.
• Under the aam authentication logon form-based command, the portal name logon name sub-
command is enhanced by adding the challenge-page page-name option to bind the custom chal-
lenge page to the named logon portal.
• Also under the aam authentication logon form-based command now can associated with the
challenge page variable specified in the authentication method. This binding is provided by the
new challenge-variable variable-name sub-command under the aam authentication logon
form-based command.
• The output of the show aam authentication logon http-authenticate command displays two
new fields:
• Challenge page name
• Challenge variable name
• The output of the show aam authentication logon form-based command also displays these
new fields:
page 85
FeedbackF
Fee
e
• Challenge page name

• Challenge variable name
NOTE: For further information, see the “Config Commands: Application

Access Management” chapter in the Application Access Management
Guide.
Configuration Management Enhancements

• Proceed with CLI Deployment Through Any Warnings
• Multi-part Response for CLI Deployment Errors
• Traceroute and Ping Using CLI Deployment
• Ability to Bypass Confirmation for Certain CLI Commands
• Logging Enhancements
Proceed with CLI Deployment Through Any Warnings

CLI deploy is an endpoint of aXAPI, /axapi/v3/clideploy that accepts CLI commands through HTTP
requests and then executes them. The CLI deployment process ignores any warnings that have no func-
tional impact on the system and returns an HTTP 20X response.
However, if a real error occurs, the CLI deployment process stops and returns a 40X response.
Multi-part Response for CLI Deployment Errors

requests and then executes them.
For configuration commands, the response is in JSON format and for show commands the response is
in plain text format, namely screen output of the CLI.
If the CLI deploy commands that are executed have an error, this feature allows a detailed error infor-
mation response in both JSON and plain text output data formats.
A new filter “mixed” with valid filter value "true", /axapi/v3/clideploy?mixed=true is introduced to end-
point /axapi/v3/clideploy.
This new filter is an on-off multipart/alternative format that allows you to choose between an error
response in JSON or a plain text format.
page 86
Feedback
Example
The sample below includes JSON data and plain text data as alternative choices.
The Content-Type must be “multipart/alternative”, which is a standard HTTP Content Type.
HTTP/1.1 400 Bad Request

Date: Fri, 02 Dec 2016 16:01:37 GMT
Server: Apache
Content-Length: 518
Connection: close
Content-Type: multipart/alternative; boundary="----a10-axapi-1480694497157325"
------a10-axapi-1480694497157325
Content-Type: application/json
{
"response": {
"status": "fail",
"err": {
"code": 4294967295,
"from": "BACKEND",
"msg": "Parse error when executing command.",
"location": "[line:3] asdfasdfas"
}
}
}
------a10-axapi-1480694497157325
Content-Type: text/plain
ACOS(config-real server)#asdfasdfas
^
% Unrecognized command.Invalid input detected at '^' marker.
Done
------a10-axapi-1480694497157325—
Traceroute and Ping Using CLI Deployment

The ping and traceroute commands can now be executed and results obtained through the CLI deploy
endpoint of aXAPI.
NOTE: For the traceroute command to be executed through the CLI deploy end-
point of aXAPI, the end command needs to be issued before the tracer-
oute command in the same call.
page 87
FeedbackF
Fee
e
Ability to Bypass Confirmation for Certain CLI Commands

requests and then executes them. This feature gives the capability to bypass the "yes/no" prompt and
automatically confirm answers for the following CLI deploy commands:
1. reboot
2. reload
3. erase
Logging Enhancements
The acos-events Global configuration CLI command is added enable you to filter which log messages
are sent/received and alter the severity of the log messages.
NOTE: For more details, see “acos-events” in the Command Line Interface Refer-
ence Guide.
Application Delivery Controller (ADC) Enhancements

• Maintain UDP Sessions When a Real Server Goes Down
• Limit (ID Action) in Policy Template Class Lists
• Third Generation SSL Card Support
• Configurable idle-timeout for TCP, UDP, and TCP-Proxy on Fast-Path Configurations
• Hardware Blocking Unconfigured Virtual Port Traffic
• Assigning Stateless Service Groups to Multiple Entities – L2DSR
• Assigning Stateless Service Groups to Multiple Entities – L3DSR
• Assigning Stateless Service Groups to Multiple Entities in L3DSR IP Tunneling Configs
• TCP and UDP Idle-timeout Implementation
Maintain UDP Sessions When a Real Server Goes Down

The Maintain UDP Sessions When a Real Server Goes Down feature programs the device to continue
UDP sessions from a real server goes down. This allows sessions to resume if the down server returns
to service, which is useful for SIP sessions. This feature is implemented by selecting the disable-clear-
session option of the re-select-if-server-down command.
page 88
Feedback
By default, the ACOS device currently continues UDP sessions from real servers that go down. The re-
select-if-server-down command, available in UDP templates, programs the device to select another real
server when the server bound to an active connection goes down; in this instance, the device clears all
UDP sessions from the down server. The the disable-clear-session option programs the device to select
another real server without clearing the UDP sessions.
NOTE: For more details, see the ADC CLI Reference Guide.
Limit (ID Action) in Policy Template Class Lists

This Limit (ID Action) in Policy Template Class Lists feature adds the capacity to define an ACOS action
when an inbound request matches an IP address specified by a class list. The three actions include:
• Forward the request to a specified service drop
• Dropping the request
• Sending a reset (RST) to the client
This feature is implemented through the action command, which is accessible as a class list – LID com-
ponent of an slb policy template. In addition to specifying one of the three actions, the new command
provides the ability to log action events. The show class-list command adds the capacity to count the
number of requests (hitcount) that match an IP address specified by the class list.
This feature also increases the LID value range to 1-1023; the previous range was 1-31.
NOTE: See the action command description in the CLI Reference Guide for ADC.
Third Generation SSL Card Support

A10 adds support for third generation SSL cards that require high performance. Support for third gener-
ation SSL is in addition to second generation SSL cards that are supported by previous A10 versions.
NOTE: For more details, see “SSL Offload and SSL Proxy” chapter of the Applica-
tion Delivery and Server Load Balancing Guide.
Configurable idle-timeout for TCP, UDP, and TCP-Proxy on Fast-Path Configurations

This version supports customized idle timeouts of TCP, UDP, and TCP-Proxy on Fast-Path configura-
tions. Previous versions only allowed the default timeout period in these configurations.
Configurable idle timeouts was previously available for Slow Path configurations through idle-timeout
commands in the TCP, UDP, and TCP-Proxy SLB templates. This new feature is implemented by extend-
ing the influence of the existing commands to Fast-Path configurations.
page 89
FeedbackF
Fee
e
Hardware Blocking Unconfigured Virtual Port Traffic

The Hardware Blocks Unconfigured Virtual Port Traffic feature provides hardware blocking of VIP traffic
that has a destination of a TCP or UDP port that is not configured on the device. This feature is enabled
globally, applies to all VIPs on a device, and implemented through the ddos-protection (SLB Common)
command. This feature is available on A10 Thunder Series SPE devices.
By default, traffic for undefined VIP ports flow through the device and are eventually dropped when pro-
cessed by a device CPU. When hardware blocking is enabled, packets in excess of a configured thresh-
old to an unconfigured port are dropped before entering the ACOS device.
NOTE: See the ADC-CLI Reference Guide and the SLB Configuration Guide for
more information.
Assigning Stateless Service Groups to Multiple Entities – L2DSR

This feature provides the ability to bind a stateless service group to multiple virtual ports or virtual serv-
ers that are handling L2 DRS traffic. This feature is enabled by including the global stateless-sg-multi-
binding command, (accessed through SLB common) in the configuration.
The global stateless-sg-multi-binding command is incompatible with using stateful service groups.
Assigning Stateless Service Groups to Multiple Entities – L3DSR

ers that are handling L3 DSR traffic. This feature is enabled by including the global stateless-sg-
multi-binding command, (accessed through SLB common) in the configuration.
Assigning Stateless Service Groups to Multiple Entities in L3DSR IP Tunneling Configs

ers that are balancing L3 DRS traffic through an ipinip (IP tunnel) configuration. This feature requires no
global configuration.
TCP and UDP Idle-timeout Implementation

Idle timeouts utilized the TCP and UDP policy templates are based on idle-timeout command parame-
ters. For values less than 30, the configured idle-timeout period is identical to the entered command
parameters. For values greater than 30, the timeout period is rounded to a multiple of 60. This method
applies to TCP, TCP-proxy, and UDP templates.
page 90
Feedback
The following schedule describes the mapping of idle-timeout command value to actual timeout period:
• For values less than 31, ACOS uses the entered value.
• For values between 31 and 60, ACOS rounds up to 60 seconds.
• For values greater than 60, ACOS rounds down to the closest multiple of 60 seconds.
NOTE: For more information, see the ADC CLI Reference Guide for ADC. The
idle-timeout commands for TCP template, SLB TCP proxy template,
and UDP template are affected.
GiFW Enhancements
• Support for ASCII Format Log Messages for GiFW
• Hairpinning Support for GiFW
• HTTP Logging Support for GiFW
• Include RADIUS Attributes in GiFW Logs
• Additional show commands for GiFW
• Support Framed-IPv6-Prefix as Key Attribute in RADIUS Table
• Support for TCP Logging for GiFW
Support for ASCII Format Log Messages for GiFW

In previous releases, the Data Center and Gi/SGi Firewall used the “slb logging template” to handle log
messages. Beginning with ACOS 4.1.1, a new “fw logging template” option was added to extend support
for various CGN logging options to GiFW logging.
The following CGN logging options, which were not applicable to SLB logging, are now supported with
the addition of the new “fw logging template” and ASCII formatted log messages:
• Inclusion of RADIUS attributes in log messages
• Support for HTTP logging
• Inclusion of timestamp resolution
• Inclusion of the byte count in log messages
• Set the firewall logging facility
page 91
FeedbackF
Fee
e
This release also adds support for transmission of log messages in ASCII format, whereas previous
releases only supported Common Event Format (CEF).
To configure the new ASCII format option, use the following CLI command:
• fw template logging name > format ascii
NOTE: For details, see the “fw template logging” command in CLI chapter or
the section “Choosing CEF or ASCII Format” in the Data Center and Gi/SGi
Firewall Configuration Guide.
Hairpinning Support for GiFW

Hairpinning support is being offered in this release to enable two clients to be establish a connection
with one another using a full-cone session. This feature offers a way for the ACOS device to expose var-
ious ports.
NOTE: For more details, see the “Hairpinning Support” section in the Data Center
and Gi/SGi Firewall Configuration Guide.
HTTP Logging Support for GiFW

In previous releases, DCFW and Gi/SGiFW logging was restricted to the ability to send logs for events,
such as when a session was created or deleted, or when a client request was denied or reset. While this
level of logging works well for DCFW deployments, in some situations, extended support for GiFW log-
ging is required.
For details about the enhanced capabilities offered with HTTP Logging, see:
• “HTTP Logging Support” section in the Data Center and Gi/SGi Firewall Configuration Guide
• The follow options under the fw template logging command in the Data Center and Gi/SGi Fire-
wall Configuration Guide:
• include-http
• log http-requests
• rule http-requests
Include RADIUS Attributes in GiFW Logs

ACOS is configured to act as a RADIUS server so that it can receive RADIUS accounting requests that
include the client RADIUS attributes. When the inside user creates a data connection either from the IP or
from IPv6 address (from the prefix), ACOS then includes the RADIUS attributes while sending the log
messages.
page 92
Feedback
Use the include-radius-attribute option under the fw template logging command to include
RADIUS attributes to firewall log messages.
Additional show commands for GiFW

This release offers several new counters to facilitate easier management of stateful firewall sessions,
and which are available in the output of CLI ‘show’ commands, in the aXAPI, and in the SNMP MIBs.
The new counters can be used for GiFW sessions to accomplish the following:
• display system status information (memory usage, CPU usage, sessions usage) similar to CGN
• display firewall information related to full-cone-sessions used for hairpinning
• display firewall statistics for global counters and “Other” protocols
This release also adds the following new CLI “show” command:
• show fw system-status – Provides a list of firewall counters associated with CPU usage, memory
usage, data/SMP sessions used, and RADIUS table entries used.
NOTE: For more information, see the “show fw system-status” command in the
CLI chapter of the Data Center and Gi/SGi Firewall Configuration Guide.
Support Framed-IPv6-Prefix as Key Attribute in RADIUS Table

When a firewall rule-set configured with firewall logging is being applied to a rule, log messages are gen-
erated whenever a session is created, destroyed, or denied. This rule controls what type of traffic is
allowed to enter the firewall, and which traffic will be denied. While sending firewall logs, RADIUS attri-
butes can be added to the firewall log messages.
ACOS is configured to act as a RADIUS server so that it can receive RADIUS accounting requests that
include the client RADIUS attributes. To create a RADIUS server configuration for firewall deployment,
use the fw radius server command.
When client’s AAA server sends out RADIUS accounting packet that has the Framed IP and (/or)
Framed IPv6 Prefix to ACOS, ACOS intercepts the packet, creates a RADIUS table entry based on the IP
and IPv6 Prefix. When the inside user creates a data connection either from the IP or from IPv6 address
(from the prefix), ACOS then includes the RADIUS attributes while sending the log messages. When con-
figuring the Firewall RADIUS server or CGNV6 RADIUS server, use the framed-ipv6-prefix command to
specify the Framed IPv6 Prefix as a RADIUS attribute for RADIUS accounting requests.
NOTE: For details, see the Data Center and Gi/SGi Firewall Configuration Guide.
page 93
FeedbackF
Fee
e
Support for TCP Logging for GiFW

This release offers an enhancement that allows syslog messages to be sent over TCP rather than UDP.
Although UDP was supported in previous releases, it is a connectionless protocol, so some packets in a
stream of log message could get dropped. However, because TCP establishes is a connection-oriented
protocol, the log messages are more reliably transmitted.
To configure this option, use the following CLI commands:
• fw server > port num tcp

• fw service-group name tcp
For details, see the following locations in the Data Center and Gi/SGi Firewall Configuration Guide:
• “Configuring Firewall Logging” in the “Firewall Logging” chapter.
• The “fw server” or “fw service-group” commands in the CLI chapter.
IPv6 Migration (CGN) Enhancements

• Extend CGN TCP/UDP Idle-timeout for NAT Sessions
• Expand Maximum Number of Entries in CGN RADIUS Table
• Delete RADIUS Accounting-On Request for CGN
• Include Byte Count in CGN Logging for TCP/UDP Traffic
• Increase Maximum Number of HTTP Logging
• Include All Configured HTTP Header Names in CGN Log Messages
• Include File Extension of HTTP URI in CGN HTTP Logging
• Disable RADIUS Accounting Response Packet in CGN Logging with Toggle Option
• Support for Port Batching v2
Extend CGN TCP/UDP Idle-timeout for NAT Sessions

While configuring cgnv6 lsn-rule-list, the TCP/UDP session idle-timeout is configurable per host, net-
work and service-ports. The idle-timeout limit of NATed sessions is extended to 36 hours.
Expand Maximum Number of Entries in CGN RADIUS Table

The maximum number of entries in the LSN RADIUS table varies based on the amount of memory asso-
ciated with a particular ACOS platform. The LSN RADIUS table size only limits the maximum number of
page 94
Feedback
entries supported for each platform. However, you can create a customized LSN RADIUS table that sup-
ports a reduced number of entries, and is smaller than the platform-based maximum value.
To configure the RADIUS table size, use the cgnv6 resource-usage radius-table-size command. This
command is used to configure the total number of configurable CGNv6 RADIUS table entries.
NOTE: For more information, see the IPv4-toIPv6 Transition Solutions Guide.
Delete RADIUS Accounting-On Request for CGN

Upon receiving a RADIUS accounting-on request, the ACOS device can delete RADIUS table entries
associated with the attributes specified in the accounting-on request. Use the accounting on delete-
entries-using-attribute option at the RADIUS server configuration level to delete the entries associ-
ated with the specified attribute. The statistics for ignored RADIUS request messages can be viewed
using the show cgnv6 lsn radius server statistics command.
NOTE: For more information, see the IPv4-toIPv6 Transition Solutions Guide.
Include Byte Count in CGN Logging for TCP/UDP Traffic

In CGN logging messages, there is now an option to include traffic byte counts. This will track the byte
count for all TCP, UDP, ICMP, and “Other” CGN traffic. The traffic byte counts are displayed in the ses-
sion deletion log, and the fields can be viewed in the default, compact, binary, custom, and RFC-5424
logging format. To configure this feature, use the include-session-byte-count command at the NAT
logging template configuration level.
NOTE: For more information, see the Traffic Logging Guide for IPv6 Migration.
Increase Maximum Number of HTTP Logging

When configuring HTTP logging, users can specify to log only HTTP requests that get sent to particular
destination ports. HTTP logging is supported for up to 64 different destination ports.
Include All Configured HTTP Header Names in CGN Log Messages

HTTP logging can be configured so that fixed headers appear in every log message, even if they are not
in the client’s request. This includes headers such as HTTP cookie, Referrer, and User-Agent, as well as
custom headers. The configured headers will appear in the same order in all log messages. If HTTP log
messages exceeded 12000 bytes, then the log message will be dropped. It is recommended to config-
ure the max HTTP header length so that the HTTP log messages do not exceed this limit.
To include all headers in every log message, even if the header is not in the HTTP request, use the rule-
http-requests include-all-headers command.
page 95
FeedbackF
Fee
e
Include File Extension of HTTP URI in CGN HTTP Logging

For CGN HTTP log messages, when an HTTP URI is received, the file extension is parsed out and added
into the log message in the extension (“Ex=”) field. Only the first 5 bytes after the “.” delimiter are
recorded in the log, and any capitalized file extensions will be converted to lowercase. If the URI does
not contain a file extension, the extension field will be left blank in the log message.
To configure the URI file extension in HTTP logs, use the include-http file-extension command at
the NAT logging template level.
Disable RADIUS Accounting Response Packet in CGN Logging with Toggle Option
Whenever ACOS receives and successfully processes a RADIUS accounting request message, it sends
a RADIUS accounting response in reply. If a confirmation is not needed, or if the user wants to limit a
potential flood of response messages, then this option can be disabled so that no RADIUS accounting
response is sent.
To disable RADIUS accounting responses from being sent in reply to RADIUS accounting requests, use
the disable-reply command at the CGNV6 LSN RADIUS server configuration level:
NOTE: For more information, see the IPv4-to-IPv6 Transition Solutions Guide.
Support for Port Batching v2

Port Batching v2 offers the following capabilities:
1. Contiguous Port Batch Assignment in Port Batching v2

In Port Batching v2, contiguous port batch assignment is supported, for example,
1024,1025,1026,1027.
2. Enhanced Capabilities in Port Batching v2:
• Maximum port batch size is increased to 4096.
• Warning logs can be generated when the usage of one port batch has reached the configured
threshold.
• Simultaneous allocation of the same TCP and UDP batches is supported.
• NAT port range is configurable for NAT pools.
3. When configured with Port Batching v2 within an IP NAT pool, ACOS uses less memory and has
better traffic processing performance.
4. When configured with Port Batching v2, contiguous ports in a batch are more manageable and
usable by external logging analyzers.
For more information, see Port Batching v2.
page 96
Feedback
Layer 2/3 Routing Enhancements

• Load Balancing for Layer 2 Switched Packets on Trunk Interfaces
Load Balancing for Layer 2 Switched Packets on Trunk Interfaces

This feature enables you to configure load balancing for Layer 2 switched packets on trunk interfaces.
NOTE: See the system trunk load-balance command in the Command Line
Interface Reference Guide for more information.
Monitoring Enhancements
• Logging Severity Change for Log Fields
Logging Severity Change for Log Fields

In this release, ACOS allows the user to change the severity of the log-fields that are defined in the
schema file. The log-fields in the schema are parsed and loaded into a table in the event logging library.
One of the parameters for the log-fields is “severity”. This parameter can take different values based on
the rules configured in the active logging template.
The decision of whether to send the packet out or not is based on the severity of the log-message. In
this release, the user can now change the severity of a log message that was already loaded into the
library, and this new severity of the log-field reflected in the event logging hash table.
You can use the “no” form of this command to restore the default value as defined in the schema.
NOTE: For more information, see the acos-events message-id command in the
CLI Reference.
Platform Enhancements
• COTS Bare Metal Enhancements
page 97
FeedbackF
Fee
e
COTS Bare Metal Enhancements

In this release, the Bare Metal platform is enhanced with the following options:
• Auto-installation – This enhancement simplifies ACOS installation on the Commercial-off-the-

Shelf (COTS) devices by using a kickstart file to provide input parameters to an installation script.
For more information, see “Auto-Installing ACOS on Thunder Bare Metal” in the Thunder Bare
Metal Installation Guide.
• USB Key License – This enhancement allows you to install the ACOS license on a USB key instead
of installing it on directly onto the Bare Metal hardware. The license travels with the USB key.
When the key is inserted into the USB port on the hardware, the features and permissions associ-
ated with that license are enabled on the device. This option makes the ACOS license easily porta-
ble. For more information, see “Step 6. Install a License via USB Key (Optional)” in the Thunder
Bare Metal Installation Guide.
Cloud Enhancements
• Backup and Restore Functionality
• Setting Maximum Upper Limit of Cores for I/O Processing
• vThunder for KVM (Virtio) Support for System Poll Mode
• vThunder for KVM (Virtio) Support for OvS-DPDK
Backup and Restore Functionality

The releases enhances the backup and restore functionality to support any combination of ACOS
devices.
NOTE: See “Restoring from a Backup” in the System Configuration and Adminis-
tration Guide for details.
Setting Maximum Upper Limit of Cores for I/O Processing

For vThunder and Bare Metal devices that are running with System-poll-mode (i.e., DPDK mode)
enabled, you can dynamically set the maximum upper limit of cores dedicated to I/O processing using
the following CLI command: system io-cpu max-cores max-core-limit
NOTE: For more information, see “Setting the Maximum Limit of Cores for I/O
Processing” in the vThunder Install Guides1 and the “CPU Core Manage-
ment Commands” section in the Thunder Bare Metal Installation Guide.
page 98
Feedback
vThunder for KVM (Virtio) Support for System Poll Mode

Previous ACOS releases supported Interrupt Mode, but in this release, vThunder for KVM (Virtio) offers
support for System Poll Mode and DPDK mode.
In order for vThunder for KVM (Virtio) to support Virtio DPDK, the DPDK driver will be loaded when ACOS
starts up. There are no required configuration changes to enable this new behavior.
System Poll Mode uses the Data Plane Development Kit (DPDK), which is a set of data plane libraries
and network interface drivers that can be used to accelerate fast-packet processing. The DPDK library
was created by Intel and made available through BSD open source license. DPDK maximizes through-
put and minimizes packet processing time through several methods, such as bypassing the kernel, pro-
cessing packets in the user space, and using polling instead of interrupts.
NOTE: For more information, see “System Poll Mode” in the vThunder for KVM
(Virtio) Installation Guide.
NOTE: System poll mode is supported for vThunder instances running on the
following: VMware, KVM, AWS, OpenStack, and HVA. However, system
poll mode is not supported for vThunder instances running on Hyper-V or
Azure.
vThunder for KVM (Virtio) Support for OvS-DPDK

To provide better performance and higher throughput for vThunder for KVM (Virtio) users, ACOS 4.1.1-
P2 offers support for Open vSwitch release 2.4.9 (with DPDK version 2.2.0). Open vSwitch (OvS) with
DPDK offers faster speeds for traffic forwarding, compared to those offered by the default Linux bridge
in prior releases.
Once OvS with DPDK is set up on the host, you do not need to run any additional ACOS CLI commands
to enable the new behavior. The vThunder instance will automatically use the new OvS bridge.
You can follow the vendor-agnostic instructions from Intel’s website to install and configure OvS with
DPDK on your vThunder instance(s): https://download.01.org/packet-processing/ONPS2.1/Intel_ONP_Re-
lease_2.1_Performance_Test_Report_Rev1.0.pdf
Web Application Firewall (WAF) Enhancements

1.
Only vThunder versions that support System Poll Mode (DPDK), such as VMware, KVM (Virtio), and KVM (SR-IOV).
page 99
FeedbackF
Fee
e
• WAF Policies File Size Limit Increase
WAF Policies File Size Limit Increase

The size limit for WAF Policy Files increased from 256 KB to 10 MB.
NOTE: For more information, see WAF Policy File Size Limit Increased to 10MB
in the Changes to Default Behavior chapter.

• CGN Enhancements

• SSLi - ICAP Re-encrypt to Receive X-Protocol and X-Port Headers
• Enhancement to SSLi Failure Log
SSLi - ICAP Re-encrypt to Receive X-Protocol and X-Port Headers

In this release, ICAP services can be accessed from the second HTTP proxy in a proxy chain configura-
tion with SSLi as the first proxy. Prior to this release this topology was not supported.
Prior to this release, user-defined header extensions which allow ICAP clients to include information in
ICAP requests and responses were not preserved in the outside (re-encrypted) SSLi virtual server. This
page 100
Feedback
meant that a proxy chain configuration with SSLi as the first proxy would not support ICAP on the sec-
ond HTTP proxy.
In this release, the x-authenticated-user and original X-Client-IP (via X-Forwarded-For) header exten-
sions described in “ICAP Extensions, draft-stecher-icap-subid-00.txt” are now supported both on the
inside ACOS virtual server and the outside ACOS virtual server. See the “Redirection of SSLi Sessions to
ICAP Servers” chapter for further information.
Enhancement to SSLi Failure Log

When SSL Insight fails, the logs are updated to include the following information:
• Source IP address
• Source port number
• Destination IP address
• Destination port number
• Action taken – Rejected, Bypassed or Decrypted
See “SSLi Failure Logs” in the SSL Insight Configuration Guide for more information.
CGN Enhancements
• PCP DS-LITE Support for IPv6 Request with Third-party Option
• Enhancement to ECMP Hashing
PCP DS-LITE Support for IPv6 Request with Third-party Option

To support PCP requests for IPv6 packets from CPE, ACOS checks whether an IPv6 packet is sent from
an NAT64 client or a DS-Lite Tunnel. ACOS tries to match the IPv6 source address with the DS-Lite
inside class-list. If there is a match, ACOS then processes the request as a DS-Lite PCP request and
extracts the IPv4 address from the PCP third-party option. If the third-party option exists and an IPv4
address is provided, ACOS assumes the PCP request is sent from CPE on behalf of the DS-Lite client.
ACOS then allocates the NAT IP/port and sends back the PCP response.
Enhancement to ECMP Hashing

ECMP route and link load balancing is enhanced to support 4-tuple hashing for UDP/TCP/ICMP in
Static-NAT and LW-4o6 technologies, in addition to the previously supported UDP/TCP for LSN, Fixed-
NAT, NAT64, DSLite, and Gi/SGi-FW.
page 101
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: See the cgnv6 ecmp 4-tuple-hash command in the Command Line Inter-
face Reference for CGN for more information.

The following enhancements are introduced in ACOS 4.1.1. This topic has the following sections:
• System Configuration and Administration
• Network Configuration
• VRRP-A High Availability
• Application Delivery Partitions
• Admin and Application Access Security Enhancements
• aFleX Enhancements
• Gi/SGi-Firewall Enhancements
• DC-Firewall Enhancements
• vThunder Enhancements
• Thunder HVA Enhancements
• Application Delivery and Server Load Balancing
• Global Server Load Balancing
• Platform Software Enhancements
• Platform Hardware Enhancements
• CGN Enhancements
System Configuration and Administration

The following enhancements are available in this release:
• New SNMP Object for Real Server Weight
• New SNMP Object for Total Interface Throughput
• New SNMP Object for Disabled Real Servers
page 102
Feedback
• New SNMP Object for Gateway Health-Check Failure
• Partition-aware SNMP Configuration
• Remove the Partition Name from Log Messages
• Sending Log Messages to a Server in Another Partition
• Resource Accounting for System Resources
• Enhanced Output for the show resource-accounting Command
• Dynamic Deep Packet for Micro Burst Traffic
• DNS Lookup Enhancement Over the Management Port
• MIB Support to show total performance across each partition
New SNMP Object for Real Server Weight

The axServerWeight object is added to return the weight configured for an SLB server. The OID for this
object is .1.3.6.1.4.1.22610.2.4.3.2.1.2.1.7.
New SNMP Object for Total Interface Throughput

The axGlobalTotalThroughput object is added to return the throughput of all interfaces. The OID for this
object is .1.3.6.1.4.1.22610.2.4.3.1.2.13.
New SNMP Object for Disabled Real Servers

The axServerDisabled SNMP object is added to notify you when an SLB server is disabled. The OID for
this object is 1.3.6.1.4.1.22610.2.4.3.12.2.2.29.
New SNMP Object for Gateway Health-Check Failure

For use along with the existing slb gateway-health-check command, an OID is added for sending an
alert log and SNMP trap to identify a gateway that has failed a health-check. If two gateways are listed
in the routing table for a particular network, an ARP request is sent to the first gateway. If there is no
response from the gateway after maximum retries (default is 3), ACOS stops forwarding packet to that
gateway and tries the next gateway configured.
For example, if there is more than one route specified in the routing table for the destination network of
192.0.2.0 /24:
ip route 192.0.2.0 /24 203.0.113.200

ip route 192.0.2.0 /24 203.0.113.202
page 103
FeedbackF
Fee
e
Then the debug mon command example below shows the ARP request and reply of the second gateway
203.0.113.202, after it has stopped trying the first gateway.
ACOS# debug mon

Wait for debug output, enter <ctrl c> to exit
@1439221 o( 2, 0, fe8)> arp who-has 203.0.113.202 tell 203.0.113.1

@1439221 i( 2, 1, 12077)> arp reply 203.0.113.202 is-at 00:0c:29:51:b4:d3 tell
203.0.113.1
NOTE: ACOS sends the ARP request health-check to only one of the gateways
that is active and used for forwarding packets.
When ACOS determines that the first gateway has failed the health-check, it sends an alert log along
with SNMP trap to SNMP manager.
Two new objects, axGatewayUp and axGatewayDown, are available for reporting gateway up or down sta-
tus changes.
NOTE: SNMP MIBs can be downloaded from the GUI; see “Downloading the
MIBs” in the System Configuration and Administration Guide.
Partition-aware SNMP Configuration

SNMP is enhanced to support the configuration of SNMP on private partitions. Such configuration will
be partition-aware and only applied to the partition being configured.
When SNMP is disabled in the shared partition, no configuration change is required in any L3V partition.
From the shared partition, the ACOS device will not get SNMP responses nor see any L3V traps.
With this SNMP enhancement, the traps in the L3V partition uses different community strings.
To enable L3v partition traps, SNMP service and community string on L3V partition must be configured.
The enabling/disabling of traps in L3V partition can only be done on the group level, and not on individ-
ual trap level.
NOTE: For information on how to configure SNMP in different partitions, see the
System Configuration and Administration Guide.
Remove the Partition Name from Log Messages

The disable-partition-name option is added under the logging global configuration command to pre-
vent the partition name from appearing in log messages.
page 104
Feedback
NOTE: See the logging command in the Command Line Interface Reference for
more information.
Sending Log Messages to a Server in Another Partition

The partition option is added to the logging host command for the following enhancements:
• To allow log messages to be sent from the shared partition to a syslog server in an L3V partition
• To allow log messages to be sent from an L3V partition to the shared partition or another L3V par-
tition (in ACOS 2.x releases, only sending a log message from an L3V partition to the shared parti-
tion was allowed)
NOTE: See “System Log Messages” in the System Configuration and Administra-
tion Guide for more information.
Resource Accounting for System Resources

Resource accounting and threshold limiting for all system resources in L3V partitions are now provided,
along with logging and trap functionality for those resources.
When a template is applied to an L3V partition, the library is updated with the template configuration.
The library is updated whenever a system per-sec resource is obtained and returned. ACOS maintains
the below set of data in the resource library:
1. Current Value - Usage in the previous elapsed second.

2. Average Value - Average value of the per second usage, since the value was last reset.
3. Peak Value - Peak usage value since it was last reset.
4. Max-limit - Configured maximum limit for the resource.
5. Threshold-limit - Configured threshold limit for the resource.
For more examples, see “show system resource-usage template” in the Command Line Interface Refer-
ence.
The following gives an example of a Syslog message based on the configured system-resource thresh-
olds.
Apr 04 2015 22:49:31 Alert [ACOS]:<p1> Resource L4 CPS is now above threshold limit (10%)
Use the clear resource-accounting command to clear system resource data.
page 105
FeedbackF
Fee
e
NOTE: For per-second resources, Peak is set to 0. For other resources, Peak is
set to the current peak value.
Enhanced Output for the show resource-accounting Command

The show resource-accounting command is enhanced to allow better customization of the output. Two
new filtering parameters, resource-type and summary, are added.
NOTE: For more information, see “show resource-accounting” in the Command

Line Interface Reference.
Dynamic Deep Packet for Micro Burst Traffic

Microbursts are traffic patterns where traffic arrives in small bursts and last only a few microseconds.
They are hard to detect using standard network management tools that sample data rates over a few
seconds. When only one device is communicating with another device in the network, bursts are usually
not a problem as there is no oversubscription.
However, when many devices (initiators) are talking to one target, then the bursts can result in fan-in.
Fan-in caused by microbursts can cause short-term packet loss.
This feature protects devices against microbursts.
When ASIC/L2 detects congestion pause frame is sent to the Flexible Traffic Assist (FTA) complex, the
FTA complex then sends a notification to the CPUs to hold packets in buffer. CPU Complex then has
sufficient buffer memory to handle these microburst (8Gbyte).
A new CLI system queuing-buffer enable command is introduced to add TX pausing support on net-
work ports/links during microburst traffic.
NOTE: This CLI is supported on FPGA/Broadcom-based platforms only.
DNS Lookup Enhancement Over the Management Port

An enhancement is made to allow NTP servers to resolve DNS lookup issues over the management
port. No configuration changes are required.
MIB Support to show total performance across each partition

In this release, MIB supports OID to show performance for each partition.
page 106
Feedback
Network Configuration
• Trunk ID Enhancement
• Tunnel Name Enhancement
• IP Reroute Protocol Suppression
Trunk ID Enhancement
The trunk-group interface configuration command is enhanced to allow a trunk ID in the range from 1-
4096. Previously, only IDs 1-16 could be configured.
This enhancement can also be found in the GUI by navigating to Network >> Interfaces >> LAN >>
Update. In the Trunk Group section, the Trunk Number field can accept a Trunk ID number in the range
from 1-4096.
NOTE: For more information, see “trunk-group” in the Network Configuration

Guide.
Tunnel Name Enhancement

The name command is supported under tunnel configuration, enabling you to provide a description or
name for the trunk being configured.
NOTE: For more information, see “name” in the “Config Commands: Interface”
chapter in the Network Configuration Guide.
IP Reroute Protocol Suppression

The ip reroute and ipv6 reroute commands and the suppress-protocols subcommand are added.
When routes are added, use of these commands specify not to trigger a route table version change
update for the protocol specified.
NOTE: For more information, see “ip reroute” in the “Config Commands: IP”
chapter and “ipv6 reroute” in the “Config Commands: IPv6” chapter in the
Network Configuration Guide.
VRRP-A High Availability

page 107
FeedbackF
Fee
e
• Viewing Information for all VRIDs
• Viewing Information for VRIDs per Partition
• Viewing Config Sync Status in CLI and aXAPI
Viewing Information for all VRIDs

The show vrrp-a all-partitions command is added for viewing the status of all VRIDs in all partitions.
NOTE: See show vrrp-a all-partitions in the Configuring VRRP-A High Avail-
ability Guide for more information.
Viewing Information for VRIDs per Partition

The show vrrp-a partition command is added to enable you to view the status of all VRIDs in a spe-
cific partition.
NOTE: For more information, see show vrrp-a partition in the Configuring
VRRP-A High Availability Guide.
Viewing Config Sync Status in CLI and aXAPI

Configuration synchronization status is available in a VRRP-A environment via the CLI and the aXAPI.
For more information, see:
• show config-sync in the Command Line Interface Reference.
• config_sync in the aXAPI Reference.
Application Delivery Partitions

The following enhancements are available in this release. This topic has the following section.
• Partition Customizable SNMP Community Strings
Partition Customizable SNMP Community Strings

The SNMPv1-v2c Users monitor that was previously only available in the shared partition of the GUI is
now available in L3v partitions. This enhancement can be found in the GUI by navigating to System >>
Monitoring and selecting SNMPv1-v2c Users from the SNMP drop-down menu.
page 108
Feedback
Admin and Application Access Security Enhancements

The following enhancements are available in this release.
• Explicit Proxy Authentication Support
• LDAP Partition Awareness
Explicit Proxy Authentication Support

An AAA policy can be configured for explicit proxy authentication through the use of auth-sess-mode
from the CLI in authentication template sub-configuration or through the GUI.
For explicit proxy client authentication using form-based-logon in an SSLi set up in conjunction with
checking against user/group membership, to ensure the explicit proxy client authentication occurs, con-
figure “match-any” or “match-class-list” in the source rule so it matches the first request in the slb policy
template.
See “Creating an Authentication Template” and “Tracking Sessions” in the Application Access Manage-
ment for more information on configuration.
LDAP Partition Awareness

In earlier ACOS 4.1.x versions, the ldap-server command could not be used to configure LDAP servers
specific to an L3V partition. All LDAP servers were shared regardless of where they were created and
configured. In this release the ldap-server command is partition aware and each L3V partition can have
its own independent LDAP server for authentication.
aFleX Enhancements
• Increased aFleX Log Message Length
• Increased aFleX Session Table Entries
• Enhancement to the aFleX HTTP::redirect Command
• Output for show running-config Command Shows all aFleX Scripts
• Multiple aFleX Policies Bound to one Virtual Port
• Enhancements to the RESOLVE::lookup Command
• Increase to aFleX Display Field Size
• aFleX Event LB_FAILED Enhanced
• Binding aFleX Scripts Under FTP-Proxy Virtual Ports
page 109
FeedbackF
Fee
e
• TCP::Payload Replace Enhanced for TCP and FTP Virtual Ports
Increased aFleX Log Message Length

The length of log messages generated by aFleX events is increased from 512 bytes to 1024 bytes. No
configuration changes are required.
Increased aFleX Session Table Entries

The maximum number of aFleX session table entries that can be created is increased. The maximum
number will vary based on the platform type, CPU, how the device is configured, and how the device is
used rather than solely based on memory.:
Number of Table Entries Memory Required

4M 6 GB memory
6M 8 GB memory
8M 12 GB memory
10 M 16 GB memory
10 M 24 GB memory
20 M 32 GB memory
20 M 64 GB memory
20 M 128 GB memory
Use the system resource-usage aflex-table-entry-count command to defines the total number of
aFleX entries per table. Reboot the system for the change to take effect. For high capacity mode, such
as system resource-usage aflex-table-entry-count as a non-default value (100k), the recommenda-
tion is to use only one table.
NOTE: See system resource-usage in the Command Line Interface Reference for
more information.
Enhancement to the aFleX HTTP::redirect Command

The 256-character limitation from the URI inspection of the aFleX HTTP::redirect command is
removed. No configuration changes are required.
NOTE: See the aFleX Scripting Language Reference for more information about
HTTP:redirect.
page 110
Feedback
Output for show running-config Command Shows all aFleX Scripts

The show running-config command is extended to show all aFleX scripts in the partition configuration
output. This is possible in conjunction with the new aflex-scripts option.
NOTE: See show running-config in the Command Line Interface Reference for
more information.
Multiple aFleX Policies Bound to one Virtual Port

aFleX contains an enhancement for when multiple policies are bound to the same virtual port. In the
past, when multiple aFlex policies were bound to the same virtual port with the same event defined, they
were merged together and treated as one. When the defined event was triggered, the statistics would
increment for all pieces of the merged policy, regardless if all of them were actually invoked. With the
recent enhancement, each aFleX policy is treated separately.
In the example that follows, both test1 and test2 are bound to the virtual server called vs-1-11-1 on port
80 and have the HTTP_REQUEST event defined. If the “HTTP::cookie remove test” command fails, the sta-
tistics will now increment separately for each policy:
ACOS#show aflex test1

Name: test1
Syntax: Check
Virtual port: Bind
vs-1-11-1: 80
Statistics:
Event HTTP_REQUEST execute 1 times (1 failures, 0 aborts)
Content:
when HTTP_REQUEST {
log “HTTP request 1”
HTTP::cookie remove test
}
ACOS#show aflex test2

Name: test2
Syntax: Check
Virtual port: Bind
vs-1-11-1: 80
Statistics:
Event HTTP_REQUEST execute 1 times (0 failures, 0 aborts)
Content:
when HTTP_REQUEST {
log “HTTP request 2”
page 111
FeedbackF
Fee
e
The failure statistics are different because test1 fails, but test2 succeeds. In the past, the show output
for both test1 and test2 would show a failure. The enhancement applies to all events for execute, failure,
and abort.
Enhancements to the RESOLVE::lookup Command

The RESOLVE::lookup command is enhanced to support the CLIENT_ACCEPTED and CLIENT_DATA events
in aFleX scripts applied to TCP-Proxy virtual ports.
NOTE: See RESOLVE::lookup in the aFleX Scripting Language Reference for more
information.
Increase to aFleX Display Field Size

The display field size for aFleX scripts is increased from 26 to 63 characters to match the size of aFleX
rule names. In ADC >> SLB >> Virtual Servers >> Vserver_Example >> Virtual Port when you
create or edit in the General section, you can now see the full names of the available aFleX rules.
aFleX Event LB_FAILED Enhanced

Previously, LB_FAILED would be triggered only when the service group was down or ACOS transmitted
a SYN on a data session to a server but received no response from the server. This enhancement
enables LB_FAILED to also be triggered when the TCP port is closed. ACOS will send a SYN to the server
and the server will respond with an RST.
This feature only works on tcp-proxy vport.
Binding aFleX Scripts Under FTP-Proxy Virtual Ports

This release adds support for binding aFleX scripts under FTP-Proxy virtual ports. For example:
ACOS(config)# slb virtual-server VIP1

ACOS(config-slb vserver)# port 21 ftp-proxy
ACOS(config-slb vserver-vport)# aflex my_aflex_script
The LB_SELECTED and LB_FAILED events are not supported when binding an aFleX script under an FTP-
Proxy virtual port.
page 112
Feedback
TCP::Payload Replace Enhanced for TCP and FTP Virtual Ports

The aflex command TCP::payload replace is enhanced to support TCP and FTP virtual ports, in addi-
tion to the previously supported TCP-proxy virtual port.
See TCP::payload replace in the aFleX Scripting Language Reference for more information.
Gi/SGi-Firewall Enhancements
• Displaying or Clearing Firewall Helper Sessions
• Firewall Rule-set for Gi/SGi-FW
• Firewall Logging Template
• CEF Format Support for CGN Traffic Logging
Displaying or Clearing Firewall Helper Sessions

A new helper-sessions option is added to the show fw resource-usage command to show the number
of helper SMP sessions created and the maximum limit of the SMP sessions that could be possible.
The clear sessions fw helper-sessions command is used to clear the SMP helper sessions.
Firewall Rule-set for Gi/SGi-FW

Firewall rule-set option is enhanced to allow each rule to be configured with the “permit” action associ-
ated with a selected application to be applied to packets matching the rule. The rule can be configured
as generically as “forward” or “cgnv6”, or exclusively as “cgnv6 lsn-lid 2” or “cgnv6 fixed-nat”.
By default, a “permit” rule with no application specified is L3-forwarded and will create a new firewall
session. In other words, it is treated the same as a permit rule with an application specified as “forward”.
For a rule without an application associated with it, use the command fw permit-default-action
{next-service-mode | forward} to change the behavior of the rule. This command changes the way a
packet will be processed by matching a rule that contains “action permit”.
Firewall Logging Template

Firewall logging template supports a round-robin method of selecting servers to send out logs. Configu-
rable hash under a firewall logging template is not supported.
Within any given partition, configuring an SLB template with the same name as a firewall template is not
permitted.
page 113
FeedbackF
Fee
e
The only option available under the firewall logging template is to configure the service group. Only fire-
wall service-group can be bound to a firewall logging template. UDP is supported as the only firewall
service group type that can be bound to a firewall logging template.
Use the fw template logging fw_logging command configure the firewall logging template. Then, use
the fw logging fw_logging command to bind the firewall logging template globally:.
CEF Format Support for CGN Traffic Logging

The support of CEF format is implemented for various log message types supported by CGN traffic log-
ging. The following CGN Traffic log messages are supported with CEF format:
• NAT44/NAT64 with LSN and Fixed NAT: session-creation, session deletion, nat port assignment,
nat port free
• Nat44/NAT64 with Fixed NAT: fixed nat port usage, fixed-nat port disable
• NAT44/NAT64 with LSN port batching v1: port batch allocation, port batch free
• NAT44/NAT64 with LSN port batching v2: port batch free, port pool batch allocation/free
DC-Firewall Enhancements
• Support for Port-based Idle Time Outs
• Multiple Src/Dst/Service Objects in a Single Rule
• System Resource Connections-per-Second Limits for Firewall
• Local Type Zone Enhancements
Support for Port-based Idle Time Outs

In previous releases, firewall session-aging templates support configuration of protocol-based idle time-
outs for TCP, UDP, ICMP, and IP-other protocols. These timeouts come into effect when the firewall ses-
sion-aging template is bound to an active-rule-set configuration.
This release offers an enhancement that allows customers to configure per-port timeouts for TCP/UDP
under the firewall session-aging templates, as well as idle-timeouts under individual rules in a rule-set.
This enhancement may be helpful for long-lived protocols, such as those used to perform backups or
data replication. It may help meet the needs of customers who require the ability to configure different
TCP/UDP ports with different timeout values, or who need to be able to configure idle-timeout values
under individual rules within a rule-set.
page 114
Feedback
In this release, port-based timeouts and rule-based idle-timeouts are only available for TCP and UDP,
and can only be configured for destination ports.
NOTE: For more information, see the fw session-aging and rule commands in
the CLI chapter of the Data Center and Gi/SGi Firewall Configuration
Guide.
Multiple Src/Dst/Service Objects in a Single Rule
In previous releases, a rule within a rule-set rule could only contain one of each of the Src, Dst, or Service
objects.
For example, prior releases had the following limitation when configuring a rule-set rule:
rule-set rs1
rule 1
action permit log
source ipv4-address 192.168.15.1 <--- only one “src” allowed per rule
dest object-group VIP-Base <--- only one “dst” allowed per rule
service udp dst eq 53001 <--- only one “service” allowed per rule
However, to support easier configuration and management of the rules in a firewall rule-set, this release
supports the ability to configure multiple Src/Dst hosts, subnets, objects, object-groups, and services
within a single rule.
Example
The following "rule 22" now supports the ability to include many Src object, Dst object, and Service
objects:
rule-set rs2
rule 22
source ipv4-address 123.123.123.123/32
source object obj1
source server ntlmsvr
dest ipv4-address 234.234.234.234/32
dest ipv4-address 143.143.143.143/32
dest object-group ogn11
dest virtual-server testvs
service tcp
service proto-id 11
service proto-id 22
service object-group ogs1
service object-group ogs2
page 115
FeedbackF
Fee
e
service icmp type 33 code 44
NOTE: Within a single rule, you can now configure up to 256 for each of the fol-
lowing types of objects: source IP, destination IP, and service
NOTE: Only one source zone or destination zone can be configured per rule.
NOTE: For more information, see the rule command in the CLI chapter of the
Data Center and Gi/SGi Firewall Configuration Guide.
System Resource Connections-per-Second Limits for Firewall ɸɸ

Previous releases did not support the ability to configure a connections-per-second (CPS) limit for fire-
wall sessions.
However, when configuring the system resource-accounting template this release adds the fwcps-
limit-cfg command (under template sub-option system-resources), and allows you to configure CPS
limits for firewall sessions.
For example, the option in blue in the sample config below represents the new syntax associated with
this enhancement:
system resource-accounting template t1

system-resources
fwcps-limit-cfg max 100
!
partition p1 id 1 application-type adc
template
resource-accounting t1
You can configure a limit on the number of sessions from 100-1000000.
The template can then be bound to the target partition where you want to CPS limit to apply.
NOTE: For more information, see the “system resource-accounting template”

command in the Command Line Reference Guide.
Local Type Zone Enhancements

Prior to ACOS 4.1.1, configuring a rule with a destination IP address which is that of the ACOS device (such as a
VIP), required that the destination zone be zone type any. If the configured destination is an IP of the ACOS device
itself, then the packet was not forwarded out the device and the resulting route lookup was empty.
page 116
Feedback
However, in ACOS 4.1.1 and later, you can send traffic to the ACOS device by configuring the local-type com-
mand as the destination zone criteria. This designates the zone type as a “local zone” and simultaneously
removes the ability to add interfaces, management interface, VLANs, tunnels, VEs, and trunks to that local zone.
NOTE: Do not create a zone with the name “any” or you will not be able to later
delete this zone. This limitation exists because ACOS auto-creates a zone
called “any”, but the zone does not appear in the output of the “show run-
ning” CLI command. Therefore, if you manually create a zone called “any”,
it will be visible in the output, but because it has the same name as the
system-generated zone, you will not be able to delete it.
NOTE: For more information, such as limitations associated with this new
option, see the zone command in the CLI chapter of the Data Center and
Gi/SGi Firewall Configuration Guide.
vThunder Enhancements
• VMXNET3 Network Adapter for Multiple Interfaces
• System Poll Mode
• vThunder for OpenStack
• Instructions for Running vThunder on OpenStack
VMXNET3 Network Adapter for Multiple Interfaces

This release extends the ability to run vThunder for VMware in “non-dedicated management port mode”
to vThunder instances running ACOS 4.1.1. When a vThunder for VMware instance is in this mode, only
one network adapter (VMXNET3 device driver) is used for all interfaces (both data and management).
This is in contrast to previous releases, in which the E1000 device driver was typically used as the driver
for a dedicated management interface and a different driver was used for the data ports.
NOTE: For more information, see “Support for Non-dedicated Management Port
Mode” in the vThunder for VMware ESXi Installation Guide.
System Poll Mode

Previous ACOS releases supported Interrupt Mode, but beginning with ACOS 4.1.1, vThunder offers sup-
port for System Poll Mode. System Poll Mode uses the Data Plane Development Kit (DPDK), which is a
set of data plane libraries and network interface drivers that can be used to accelerate fast-packet pro-
cessing. The DPDK library was created by Intel and made available through BSD open source license.
page 117
FeedbackF
Fee
e
DPDK maximizes throughput and minimizes packet processing time through several methods, such as
bypassing the kernel, processing packets in the user space, and using polling instead of interrupts.
NOTE: For more information, see “System Poll Mode” in the vThunder for
VMware ESXi Installation Guide.
NOTE: System poll mode is supported for vThunder instances running on the
following: VMware, KVM, AWS, OpenStack, and HVA. However, system
poll mode is not supported for vThunder instances running on Hyper-V or
Azure.
vThunder for OpenStack

This release extends vThunder support to OpenStack, the free and open-source software platform used
for cloud management.
The vThunder virtual appliance is a fully operational, software-only version of the ACOS Series Server
Load Balancer (SLB), Application Delivery Controller (ADC), or IPv6 migration device. vThunder retains
most of the functionality available on the hardware-based ACOS appliances, and it is managed using
the same CLI and GUI interface.
Instructions for Running vThunder on OpenStack

For more information about running vThunder on the OpenStack platform, see the following articles at
OpenStack.org1:
• How to add and manage qcow2 image files:
• http://docs.openstack.org/user-guide/common/cli-manage-images.html
• http://docs.openstack.org/user-guide/dashboard-manage-images.html
• How to boot a vThunder instance in OpenStack:
• http://docs.openstack.org/user-guide/cli-launch-instances.html
• http://docs.openstack.org/user-guide/dashboard-launch-instances.html
• How to access the vThunder CLI through a VGA console
• http://docs.openstack.org/user-guide/cli-access-instance-through-a-console.html
1.
[Unattributed]: “Manage images”: [http://docs.openstack.org/user-guide/common/cli-manage-images.html]: para. all: [Oct
11, 2016]
page 118
Feedback
NOTE: There is no GUI guide for this, but the information can be found in the
same place as launching. For example, navigate as follows: compute >
instance > console
System Requirements
• The minimal resource requirements for vThunder instances running on OpenStack:
• CPU must be <= 8
• Memory must be at least 4GB RAM
• Free disk space must be at least 12GB
• The instance must be provisioned with two networks/NICs (management and data inter-
faces)
Limitations
• The key pair is unsupported on vThunder for OpenStack instances.
• Deleting and/or attaching data ports is only supported while the vThunder instance is in a shut-
down state. You cannot modify (delete/attach data ports) for active vThunder instances.
• If using special hardware, such as SR-IOV, this hardware must be configured by the operator as
normal.
Thunder HVA Enhancements

The following Hybrid Virtual Appliance (HVA) topics are covered in this section:
• Jumbo Frame Support for vThunder Instances on HVA
• Assigning a Static Management IP to vThunder Instances on HVA
• LACP Support for vThunder Instances on HVA
Jumbo Frame Support for vThunder Instances on HVA

The Thunder Hybrid Virtual Appliance (HVA) extends jumbo frame support to vThunder instances run-
ning ACOS 4.1.1. A jumbo frame is an Ethernet frame that is more than 1522 bytes long. Support for
jumbo frames is offered on Layer 4 VIPs, as well as Layer 7 VIPs that handle application-layer traffic,
such as HTTP.
NOTE: For more information, see “Enabling Jumbo Frame Support” in the A10
Thunder Series 3030S/3530S Hybrid Virtual Appliance Guide.
page 119
FeedbackF
Fee
e
Assigning a Static Management IP to vThunder Instances on HVA

DHCP is used to assign an IP address to new vThunder instances when they are first launched. How-
ever, if desired, you can override this default behavior by manually assigning a static IP to the vThunder
instances. This release extends the ability to assign a static management IP to vThunder instances that
are running ACOS 4.1.1.
NOTE: For more information, see “Assigning a Static IP to vThunder Instead of

Using DHCP” in the A10 Thunder Series 3030S/3530S Hybrid Virtual Appli-
ance Guide.
LACP Support for vThunder Instances on HVA

HVA adds support for LACP, or link aggregation control protocol, for vThunder instances running ACOS
4.1.1. Link aggregation is a method of bonding two or more Layer 2 links into a single logical channel, or
trunk. By combining several links into one logical channel, bandwidth and network resiliency are
improved with automatic failover for the links within the trunk.
When LACP is used with an HVA device that has many vThunder instances running, you can configure a
single LACP trunk going to the switches in the data center, and the vThunder instances can share that
one trunk.
NOTE: For more information, see “LACP Support – Enabling many vThunder
instances to share a trunk” in the A10 Thunder Series 3030S/3530S
Hybrid Virtual Appliance Guide.

• New CSR Digests
• SSLi Extended Statistics
• SSLi Source NAT
• DSCP for Layer 7 SSL Proxy Server Policy
• Support for Increased Number of SNI Entries
• Log Generated When SSL Insight Fails
• Single Partition Support
• Show SSL Statistics Enhancement
• Request Certificate Authorities
page 120
Feedback
• DHE Ciphers supports 1024-bit or higher moduli
• Certificate Extension for SSL Insight
• SSLi GUI Wizard
• Generate Self-Signed CSR
• Support for SSL/TLS Secure Renegotiation
• Support for HTTPS Import
• ICAP HTTP Block Counters
• ICAP Feature to Send Entire URL for DLP
• Secure ICAP
• ICAP Fail Close Option
• ICAP Pre-Filter Allowed Methods and Minimum Payload
• ICAP Logging
New CSR Digests

In prior 4.x.x releases, all CSRs created through the pki create csr command use SHA1 as the digest.
SHA1 is being deprecated. In this release, users can choose to use stronger digests (SHA256, SHA384,
SHA512).
SSLi Extended Statistics

A new command, show slb ssl-forward-proxy-stats, is added to display additional SSL forward-proxy
counters. A second new command, slb ssl-forward-proxy sampling-enable, is added to enable sam-
pling of SSL forward-proxy counters for use with the AXAPI. See the Command Line Reference for ADC
book for details.
SSLi Source NAT

In some applications of SSLi, it is important to choose the source IP address. For example, when SSLi is
configured for transparent HTPP proxy chaining, SSLi source NAT allows the network administrator to
specify source IP addresses on a client-initiated FETCH session. The source NAT addresses can be
used by the chained upstream HTTP proxy server to differentiate the fetched traffic from all other traf-
fic. It can then apply different policies to the fetched traffic from the policies it applies to all other traffic.
See “Using SSLi Source NAT” in the SSL Insight Configuration Guide for additional information.
DSCP for Layer 7 SSL Proxy Server Policy

Prior to this release, the configuration of the Differentiated Services Code Point (DSCP) value was used
to distinguish outgoing packets on Layer 4 connections, but could not be used to distinguish outgoing
page 121
FeedbackF
Fee
e
packets in Layer 7 sessions such as ACOS SSL Proxy configurations. In this release, DSCP can now be
used for L7 proxy connections.
If a template is configured with a DSCP value and the template is applied to port, the ACOS device
marks all packets from the proxy. If the proxy application sends packets back to the clients, those pack-
ets are also marked with the DSCP value.
NOTE: For more details on this, see the following:
• The dscp command in the “Config Commands: SLB Real Port Templates” chapter
of the Command Line Reference for ADC book.
• The dscp command in the “Config Commands: SLB Virtual Port Templates” chap-
ter of the Command Line Reference for ADC book..
• The “Example Configuration: DSCP Dynamic-Port SSLi” section of the “Dynamic-
Port SSLi” chapter of the SSL Insight Configuration Guide.
Support for Increased Number of SNI Entries

This release supports up to 8192 Server Name Indication (SNI) entries, whereas previous releases sup-
ported only 1024 SNI entries. ACOS has supported the use of the SNI extension to the TLS protocol for
several releases. This support allows web servers to host content for multiple domains at the same IP
address by issuing a separate server certificate for each domain.
By increasing the maximum number of SNI entries per IP, customers can host more domains per VIP.
This enhancement can be helpful for web-hosting companies that have many websites but a relatively
limited number of IP addresses.
ACOS has a maximum limit of 8192 SSL contexts available to the whole system, meaning that one SNI
entry bound to a virtual port uses up one SSL context. Therefore, you could reach that limit by configur-
ing one client-SSL template (with 8192 SNI entries) and binding it to one virtual port (8192 x 1 = 8192),
or the limit could be reached by configuring a client-SSL template that has 2048 SNI entries and binding
it to four virtual ports (2048 x 4 = 8192).
NOTE: For more information about configuring SNI, see:
• “Server Name Extension Support” in the SSL Insight Configuration Guide.

• “Support for TLS Server Name Indication” in the Application Delivery and Server
Load Balancing Guide.
Log Generated When SSL Insight Fails

When SSL Insight fails, a log is generated that includes the following information:
• The server name indication (SNI)
• The IP address of the server.
page 122
Feedback
• The reason for the failure.
NOTE: For more information, see “SSLi Failure Logs” in the SSL Insight Configu-
ration Guide.
Single Partition Support

SSLi is possible using a single partition. For traffic steering purposes in a single partition SSLi topology,
the Ethernet and Trunk interfaces are available as selectors in extended ACLs for directing Layer 2 traf-
fic through specific interface IDs. See access-list (extended) command in the Command Line Inter-
face Reference for further information about the selectors.
For steering the traffic in a forward or reverse direction, the redirect-fwd and redirect-rev com-
mands are available. The forward direction steers traffic from client to Internet. The reverse direction
steers traffic from the Internet to the client. See the port command in the “Config Commands: SLB Vir-
tual Servers” chapter of the Command Line Interface Reference for more information.
NOTE: For configuration example information, see “SSLi Single Partition Sup-
port” in the SSL Insight Configuration Guide.
Show SSL Statistics Enhancement

The virtual server and virtual port arguments of the show slb ssl-counters and clear slb ssl-count-
ers commands are now optional. Previously, these arguments were required.
NOTE: See the SLB Show Commands for further information.
Request Certificate Authorities

The slb template client-ssl command now includes a client-certificate-Request-CA command. If
this command is entered, then the ACOS device includes the certificate(s) specified in the ServerHello
message. The client can then choose a client certificate for the handshake and complete the two-way
authentication.
NOTE: See the Config Commands: SLB Client SSL Templates document for
details on this command. See the SSL Offload and SSL Proxy document
for configuration instructions.
DHE Ciphers supports 1024-bit or higher moduli

Client-side SSL now rejects the “Server Key Exchange” from servers that present Diffie-Hellman (DH)
prime value of less than 1024-bits for the DHE_RSA ciphers. For SSLi configurations, the client side will
page 123
FeedbackF
Fee
e
now present DH prime values no less than 1024-bits. For the server side, ACOS will accept only DH
prime values that are 1024-bits or more.
Certificate Extension for SSL Insight

Two SSLi extensions are supported for all certificates that will be proxied by the ACOS device.
• Certificate Revocation List Distribution Point (CRLDP)
This extension provides the Uniform Resource Identifier (URI) of the CRL.
• Authority Information Access (AIA)
This extension can be used to identify the Certificate Authority (CA) Issuer’s URI or an Online
Certificate Status Protocol’s (OCSP) URI.
These features are used to improve the certificate validation process and adhere to the guidelines spec-
ified in RFC 5280.
NOTE: For more information, see forward-proxy-cert-ext in the Command Line

Interface Reference for ADC.
SSLi GUI Wizard

Under the System tab in the GUI, “App Template” and “App Template Import” options are introduced.
App Template
• The “App Template” link redirects you to A10 AppCentric Templates page.
• AppCentric Templates provides a wizard, configuration templates and dashboard designed for a
specific applications.
App Template Import

• The “App Template Import” link imports a package file for A10 AppCentric Templates. By default,
ACOS is shipped with two AppCentric Templates, SSL Insight and Microsoft Exchange 2013. You
can have access to more applications by importing the latest package file.
NOTE: See the SSL Insight Configuration Guide book for details.
Generate Self-Signed CSR

The ability to generate self-signed CSRs is added to the pki create command. The csr-generate
options are removed from the import commands.
page 124
Feedback
NOTE: See the SLB CLI Commands for further information.
Support for SSL/TLS Secure Renegotiation

Prior to this release, SSL/TLS non-secure renegotiation was allowed by default, but could be disabled by
entering “no renegotiation-disable” in the SLB client-SSL template.
In this release, SSL/TLS secure renegotiation is the default. if you enter “no renegotiation-disable” in
both the SLB server-SSL template and the SLB client-SSL template.
NOTE: See the Command Line Reference for ADC to get further information.
Support for HTTPS Import

Prior to this release, the import feature did not support HTTPS.
NOTE: See the import and import-periodic commands in the Command Line
Reference for ADC to get further information.
ICAP HTTP Block Counters

The show slb icap-http command is added to this release. This command displays the statistics spe-
cific to ICAP blocked traffic. When traffic is blocked by the ICAP server, it sends the HTTP response to
ACOS.
The existing show slb icap command displays statistics that includes both blocked and not blocked
traffic.
ICAP Feature to Send Entire URL for DLP

Prior to this release, when the inside ACOS system was configured to send ICAP requests to a data loss
prevention (DLP) server, it did not send the entire URL. Although the ACOS implementation of the ICAP
DLP was technically compliant, it was not the entire URL and the format as is commonly practiced.
In ACOS 4.1.1, the format of the ICAP REQ,MOD and RESPMOD requests will include the entire URL
when and the protocol the include-protocol-in-uri command is enabled.
Secure ICAP
The secure ICAP feature provides the ability to connect an ACOS system to the ICAP server over an SSL
connection. The template server-ssl command in the REQMOD and RESPMOD template configura-
tion modes enables this feature.
page 125
FeedbackF
Fee
e
ICAP Fail Close Option

The fail-close command is added to the configuration options of the REQMOD and RESPMOD tem-
plates. When enabled, the SSLi inside ACOS virtual port is marked down when the template’s service
group is down.
ICAP Pre-Filter Allowed Methods and Minimum Payload

The ICAP REQMOD template has two new sub-commands:
• The allowed-http-methods command specifies the allowed HTTP methods.
• The min-payload-size command specifies minimum payload size that can be sent to the ICAP
server.
ICAP Logging
When configuring the ICAP REQMOD and RESPMOD templates, you can bind enable ICAP logging. Log
messages include the following fields: timestamp, sender username, source IP, destination URL, and
DLP verdict. See the template logging command under the slb template reqmod-icap and slb tem-
plate respmod-icap commands, and also see the “Configuring ACOS Logging in ICAP Templates” sec-
tion of the SSL Insight Configuration Guide for further information.
Application Delivery and Server Load Balancing

• Actively Close Session when Server is Disabled or Fails Health Check
• Clear Persistent Sessions Options
• Server session close when the server is disabled or fails a health-check
• Proxy Chaining Configuration
• Forward Policy Destination Rule Enhancement
• Proxy Server Configuration for Web Category Services
• Explicit Proxy Permission with AAM Policy
• Terminate Diameter Session for Credit-Control-Answer-Termination Message
• Return Diameter Unknown Session ID Instead of Dropping Traffic
• Handle Diameter Credit-Control-Request-Termination Messages
• Enhanced Diameter CLI Parameters, Messages, and Output
• Retry When the Server Response Contains Diameter Error Codes
• Diameter Disconnect-Peer-Request Message Handling
page 126
Feedback
• Convert Diameter Origin Realm and Origin Host-ID
• Diameter Re-Auth-Request Message Handing
• Configure Diameter Device Watchdog Answer Messages for Server Up
• Support STARTTLS for IMAP and POP
• TACACS+ Specific Health Monitor
• Increasing the Maximum Number of Health Checks
• Increase the Number of Black/White List Group IDs
• Support for Simple Certificate Enrollment Protocol (SCEP)
• Increase in Class-list Capacity
• Increase in PBSLB Subnet Capacity
• Software SSL Update to 1.0.2
• HTTP Load Balancing to Proxy Servers
• Hash Algorithm Based on Even-Odd Source IP Address
• DNS Caching to Honor Server Response TTL
• Extended SSL/TLS Usage Statistics
• Bandwidth Limit per SLB Server and SLB Server Port
• Parsing Multiple Certificates in a Certificate File
• Enhancements to TCP RST Behavior in TCP and TCP-Proxy Templates
• Port Override Health Check for Layer 2 DSR Deployments
• Source IP and Source Port Packet Rate Enhancements
• Initial Non-SYN TCP Packet
• TLS Version 1.1 Support for SSL Clients
• FTP Support for SLB Protocol Translation
• Extended Cache Hit Statistics
• Fast-HTTP and HTTP Support for url-hash-persist
• Response to Client POST Request Modification
• Strict Load-Balancing for Weighted Round-Robin and Least Connection\
• Fast-HTTP and HTTP Support for url-hash-persist
• FTP Support for SLB Protocol Translation
page 127
FeedbackF
Fee
e
• Load Balancing with the “DNSSEC OK” (DO) Bit
• SMTP Health Check
• Strict Layer 2 DSR Health Checks
• Disabling SSL Renegotiation
• Advertised Certificate Authorities
• Thales HSM Device Support
Actively Close Session when Server is Disabled or Fails Health Check

Previously, a layer 4 session was cleared only after all members of the service group over which the ses-
sion was running failed. In this release, the layer 4 session is cleared immediately if the new del-ses-
sion-on-server-down command is configured on the real port level of a member of a service group and
that server fails health check or is disabled. If a one or more real servers in a service group fails the
health check and this command is enabled for the session, ACOS clears the session.
The command, del-session-on-server-down, is added as an option in three places: to the SLB real port
template, the SLB TCP template, and the SLB TCP-proxy template.
Clear Persistent Sessions Options

The ipv4 option is added to the clear sessions persist syntax. Prior to this release, the IPv4 was
implied by default. The current syntax for clear sessions persist is as follows:
clear sessions persist [ipv4 | ipv6] [dst-ip | src-ip | ssl-sid] | uie}
Parameter Description
ipv4 Clear ipv4 persistent sessions only.
ipv6 Clear ipv6 persistent sessions only.
dst-ip dst-ip Clear persistent sessions matching the specified destination IP address value.
src-ip src-ip Clear persistent sessions matching the specified source IP address value.
ssl-sip ssl-sip Clear persistent SSL sessions matching the specified destination SSL IP address
value.
uie Clear sessions that are made persistent by the aFleX persist uie command
Server session close when the server is disabled or fails a health-check

This feature adds the ability, within a service-group, to close sessions associated with a server when the
server is disabled or fails a health check. Existing commands support a similar action at global (grace-
ful-shutdown) and real server port (down-grace-period) configuration modes.
page 128
Feedback
Active sessions, (receiving client-side packets) are cleared immediately. Idle sessions may continue to
exist for more than a minute after the command is issued.
Web support is not available for this feature.
Implementation
The feature is enabled through the del-session-on-server-down command. This command is

enabled in slb-template-port configuration mode. The feature is implemented by applying the port tem-
plate to a real server or service-group member. If binding the port template at the service-group level,
make sure del-session-on-server-down is the only configuration in the port template.
Configuration Example
These commands configure the session-close-on-server-shutdown function on a real server, then

assigns that server to a service group.
ACOS(config)#slb template port xyz

ACOS(config-rport)#del-session-on-server-down
ACOS(config-rport)#exit
ACOS(config)#slb server real-1 10.0.0.100
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#template port xyz
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
ACOS(config)#slb service-group sg1 tcp
ACOS(config-slb svc group)#member real-1 80
ACOS(config-slb svc group-member:80)#exit
ACOS(config-slb svc group)#exit
ACOS(config)#show runn | sec slb
slb template port xyz
del-session-on-server-down
slb server real-1 10.0.0.100
port 80 tcp
template port xyz
slb service-group sg1 tcp
member real-1 80
ACOS(config)#
These commands assign a real server to a service group, then configure the session-close-on-server-
shutdown function on that server.
ACOS(config)#slb template port abc

page 129
FeedbackF
Fee
e
ACOS(config)#slb server real-A 10.0.0.50
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
ACOS(config)#slb service-group SG-A tcp
ACOS(config-slb svc group)#member real-A 80
ACOS(config-slb svc group-member:80)#template abc
ACOS(config-slb svc group-member:80)#exit
ACOS(config-slb svc group)#exit
ACOS(config)#show run | sec slb
slb template port abc
slb server real-A 10.0.0.50
port 80 tcp
slb service-group SG-A tcp
member real-A 80
template abc
ACOS(config)#
New CLI Command
Description When applied to a server template, ACOS closes the session associated with
the server when the server is disabled or fails a health-check.
Active sessions, (receiving client-side packets) are cleared immediately. Idle

sessions may continue to exist for more than a minute after the command is
issued.
Syntax [no] del-session-on-server-down
Mode slb template port configuration
Example These commands configures an slb-template port to close sessions when

the server shuts down function on a real server.
ACOS(config)#slb template port abc

page 130
Feedback
Proxy Chaining Configuration

The proxy-chaining parameter option for enabling proxy-chaining through the forward-policy-action sub-
configuration using the forward-to-internet or forward-to-service-group command is replaced by the for-
ward-to-proxy command. This enhancement simplifies the configuration of proxy-chaining.
NOTE: See “forward-to-proxy” in the Command Line Interface Reference for ADC
for details on parameters available for this command. See “Proxy Chain-
ing Overview” in the Application Delivery and Server Load Balancing Guide
or “Proxy Chaining SSLi Overview” in the SSL Configuration Guide for con-
figuration instructions.
For information about legacy configurations, see Legacy Proxy Chaining Configuration in Changes to
Default Behavior.
Forward Policy Destination Rule Enhancement

In an slb template policy configuration for explicit proxy, in a forward-policy-source sub-configuration, a
class list of IP type can now be used as part of a destination rule. This enhancement also allows the
import and utilization of ThreatSTOP files.
NOTE: See “forward-policy” in the Command Line Interface Reference for ADC for
details on available commands for configuration.
Proxy Server Configuration for Web Category Services

To utilize web category features, ACOS requires a connection to the BrightCloud servers. These servers
are hosted in a location where the IPs are subject to change. This can be a issue to administrators with
an upstream firewall in their networks when they need to manage a list of allowed IPs to allow commu-
nication between ACOS and the BrightCloud servers.
Configuration to use a proxy server is now available as a solution so that IP management is no longer
necessary under this type of situation. See “Web Category” in the Command Line Interface Reference for
ADC for details on available commands for configuration.
NOTE: See “Configuring a Proxy Server for Web Category Services” in the Appli-
cation Delivery and Server Load Balancing Guide for configuration instruc-
tions.
Explicit Proxy Permission with AAM Policy

An explicit proxy can be configured to use aam authorization policy to determine user and group mem-
bership.
page 131
FeedbackF
Fee
e
NOTE: For information about this feature, see “Explicit Proxy Permission with
AAM Policy” in the Application Delivery and Server Load Balancing Guide.
For more information about the CLI commands, see “forward-policy” in
the SLB Policy Template section of the Command Line Interface Refer-
ence for ADC.
Terminate Diameter Session for Credit-Control-Answer-Termination Message

The slb template diameter command includes a parameter to terminate-on-cca-t. This parameter
allows you to remove Diameter sessions upon receiving the Credit-Control-Answer-Termination (CCA-T)
message from the server, rather than waiting for the Session-Terminate-Request (STR) message from
the client. This is useful in situations when the client application won’t send out the STR message due to
session caching for Policy and Charging Rules Function (PCRF). This also helps to free up unused ses-
sions for reuse instead of always creating new sessions. This is disabled by default, you enable it by
configuring the parameter in the Diameter template.
The Credit-Control-Answer (CCA) and Credit-Control-Request (CCR) code messages are now load bal-
anced by default.These are shown in the “Diameter Message Codes.”
The show slb diameter command includes processing statistics for the sent and received CCR and
CCA messages.
The show session command includes a parameter for displaying diameter sessions.
The clear command includes a parameter for clearing the diameter sessions.
NOTE: See the Command Line Interface Reference for further information.
Return Diameter Unknown Session ID Instead of Dropping Traffic

When the ACOS device receives a Re-Auth-Request message from the server with a session ID that is
not in the Diameter session table, the ACOS device now responds back to the server with a Re-Auth-
Answer message that includes result code 5002. In this way, server can clear the Diameter session
from its table. For other message result codes (non-RAR) with unknown session IDs, the ACOS device
will silently drop them.
The show slb diameter command includes an output field to show when ACOS sends unknown-ses-
sion-id messages.
page 132
Feedback
Handle Diameter Credit-Control-Request-Termination Messages

When the ACOS device receives a CCR-T message from the client with a session ID that is not in the
Diameter session table, the ACOS device now responds back to the client with a CCA message that
includes result code 5002. If the session ID matches an ID in the Diameter session table, then ACOS will
forward the CCR-T message to the server.
The show slb diameter command includes an output field to show when ACOS sends unknown-ses-
sion-id messages.
Enhanced Diameter CLI Parameters, Messages, and Output

The show session CLI command has a new parameter diameter to view information about Diameter
sessions on the device.
NOTE: See the show session command in the Command Line Interface Refer-
ence.
Retry When the Server Response Contains Diameter Error Codes

The ACOS device now understands certain server error codes and takes corrective action to load bal-
ance across other servers in the service group, rather than sending the error message back to the client.
When the server response contains the result code DIAMETER_UNABLE_TO_DELIVER (3002) or DIAME-
TER_TOO_BUSY (3004), the ACOS device will retry sending the original client request to another server
until one of the following occurs:
• Server responds with a result code other than 3002/3004.
• ACOS retries all available members in the service group.
• ACOS retries 6 times.
If the retries are unsuccessful, ACOS forwards the server response to the client even if the result code is
3002/3004.
Diameter Disconnect-Peer-Request Message Handling

The ACOS device now handles Disconnect-Peer-Request (DPR) messages by responding with Discon-
nect-Peer-Answer (DPA) messages, rather than terminating the TCP connection.
page 133
FeedbackF
Fee
e
Convert Diameter Origin Realm and Origin Host-ID

The ACOS device now converts Origin Realm and Origin Host-ID back to the original identities when
sending the server response back to the client, rather than sending back the modified identities.
Diameter Re-Auth-Request Message Handing

The ACOS device is now able to process the server-side Re-Auth-Request (RAR) messages, rather than
only processing client-side messages.
Configure Diameter Device Watchdog Answer Messages for Server Up

The ACOS device is now able to mark a server port as up after receiving a certain number of Device
Watchdog Request (DWR) and Device Watchdog Answer (DWA) messages, rather than the previous
number of one. Using the dwr-up-retry parameter, it is possible to configure how many rounds of suc-
cessful DWR/DWA messages are needed before a server port is marked as up.
Support STARTTLS for IMAP and POP

This release offers the ability to offload IMAP and POP3 STARTTLS extension from the servers, as spec-
ified in RFC 2595. The ACOS device will take care of STARTTLS and the associated SSL handshakes.
After this, communication between the client and ACOS device will be encrypted and device to server
communication will be clear text.
NOTE: For more information, see:
• “STARTTLS for Secure SMTP” in the Application Delivery and Server Load Bal-
ancing Guide.
• “slb template imap-pop3” in the Command Line Interface Reference.
TACACS+ Specific Health Monitor

The health monitor command now includes a method parameter called tacplus. This parameter is used to
check server availability by passing the TACACS+ parameters, with secret and password encrypted.
NOTE: For more information, see method in the “Config Commands: Health Mon-
itors” chapter in the Command Line Interface Reference for ADC.
page 134
Feedback
Increasing the Maximum Number of Health Checks

The maximum number of configurable health checks is increased from 1024 to 8192 on all 64-bit plat-
forms. The actual number of health checks that can be configured in your platform may vary depending
on the amount of available memory. Platforms with more than 24GB of memory can reach a maximum
of 8192.
Below shows a table of maximums configurable for different platform memories:
Available Memory Maximum Number of Health Checks

2G-8G 1024
12G 2048
16G 4096
24G 8192
To configure the maximum number of health checks, use the health-monitor-count parameter under
the slb resource-usage command at the global configuration mode in the CLI.
NOTE: For more information, see the Command Line Interface Reference for
ADC.
To configure this feature using the GUI, navigate to System >> Settings > Resource Accounting.
The Health Monitor parameter is located at the bottom of the App Resources tab.
Increase the Number of Black/White List Group IDs

The number of Black/White list group IDs that can be configured is increased to 1024; earlier releases
only supported 32 group IDs.
NOTE: For more information, see the “bw-list id” command under “slb template
policy” in the Command Line Interface Reference for ADC.
This enhancement can also be found in the GUI by navigating to ADC >> Templates and selecting the
L7 Protocols tab. When creating a Policy template, the BW List field is no longer a drop-down menu,
but instead accepts a number entry from 0 - 1023.
Support for Simple Certificate Enrollment Protocol (SCEP)

Simple Certificate Enrollment Protocol (SCEP) is supported. SCEP is a part of the Public key infrastruc-
ture (PKI). SCEP simplifies management of security certificates, by providing simplified installation and
automated renewal of x.509 certificates. You can use SCEP certificates with the same ACOS features
that support manually imported certificates. For example, SCEP certificates are supported with SSL
Insight (SSLi).
page 135
FeedbackF
Fee
e
NOTE: Note that this feature will not be supported for HSM platforms, including
Thunder 5630.
NOTE: For more information, see “SSL Certificate Management and Options” in
the Application Delivery and Server Load Balancing Guide.
Increase in Class-list Capacity

The number of Class lists that ACOS devices can contain depends on the device memory capacity. The
following are the modified class list limits:
• Platforms with at least 32G memory: 10K class lists
• Platforms with at least 16G and less than 32G memory: 2K class lists
• Platforms with at least 8G and less than 16G memory: 1K class lists
• Platforms with less than 8G memory: 255 class lists
Increase in PBSLB Subnet Capacity

The number of PBSLB subnets that can be configured on the system is increased and is now also con-
figurable using “slb resource-usage pbslb-subnet-count” from the CLI, or the System >> Settings >>
Resource Usage page in the GUI.
The table below summarizes the updated limits:
Memory Minimum Maximum Default

2 Gb 64K 64K 64K
4 GB 64K 64K 64K
6 Gb 64K 64K 64K
8 Gb 64K 64K 64K
12 Gb 64K 2M 64K
16 Gb 64K 2M 2M
24 Gb 64K 2M 2M
Software SSL Update to 1.0.2

The Software SSL update to OpenSSL v1.0.2 allows for enhanced performance of encryption and SSL
processing. It also allows for additional cipher support and removal of antiquated cipher support.
Additions to Cipher Support
The following cipher support is added:
page 136
Feedback
• RSA Ciphers
• AES128-GCM-SHA256
• AES256-GCM-SHA384
• DHE Ciphers
• DHE-RSA-AES128-SHA
• DHE-RSA-AES256-SHA
• DHE-RSA-AES128-GCM-SHA256
• DHE-RSA-AES256-GCM-SHA384
• ECDHE/RSA Perfect Forward Security (PFS) Ciphers
• ECDHE-RSA-AES256-SHA384 (1)
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE/ECDSA Perfect Forward Security (PFS) Ciphers
• ECDHE-ECDSA-AES128-SHA
• ECDHE-ECDSA-AES256-SHA
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-ECDSA-AES256-SHA384 (1)
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
Reductions to Cipher Support
The following previously supported ciphers are removed:
• EXPORT RC4 & Single DES Ciphers
• EXP-RC4-MD5
• EXP-DES-CBC-SHA
• DES-CBC-SHA
• EXP1024-RC4-MD5
• EXP1024-RC4-SH
NOTE: See the A10 SSL Cipher Suites List at https://www.a10networks.com/

support/axseries/appnotes for more information.
page 137
FeedbackF
Fee
e
HTTP Load Balancing to Proxy Servers

The ACOS external service module has fixed headers for URL filtering when it forwards requests to
proxy servers. Besides these fixed headers, you can specify a set of HTTP request-headers when for-
warding HTTP packets from client to the proxy servers. If there are multiple headers with the same
name from the client, then only the first header instance is forwarded.
The URL Filter server’s HTTP module parses client requests and saves the results in the corresponding
data structure. The AX module then inserts the configured header when it forwards HTTP requests to
the proxy server. If the proxy server response is good, the AX connects to the destination server. If the
proxy server response is bad, the AX closes the connection.
To specify HTTP request-headers to be sent to the proxy server, use the "request-header-forward"
option in an SLB "external-service" template. The following describes details and limitations of the
"request-header-forward" option:
1. Client request-headers are case insensitive. For example, “User-Agent”, “user-agent”, and “USER-
AGENT” are treated as the same request header.
2. A maximum of 16 “request-header-forward” options can be configured.
3. An HTTP request-header (including request-header content) which can be forwarded cannot
exceed 1036 bytes.
• Example 1: Length of (User-Agent: xxx…) must be less than 1036
• Example 2: Length of (Accept: xxx…) must be less than 1036;
4. An external-service template only forwards GET/POST methods to proxy server; these methods
forward request-header-forward content to proxy servers.
Hash Algorithm Based on Even-Odd Source IP Address

This feature adds a stateful hash algorithm based on the source IP address. Packets with even source
IP addresses (sum all octets is even) hashes to servers with even IP addresses. Packets with odd
source IP addresses (sum all octets is odd) hashes to servers with odd IP addresses. Existing per-
sistence functions assure consistent hashing across service groups.
NOTE: See Stateful Hash-Based Load Balancing Methods (Application Delivery

and Server Load Balancing Guide) and the method (SLB Service Groups)
command (Command Line Interface Reference For ADC)
DNS Caching to Honor Server Response TTL

This feature supports using server response TTL for DNS caching. The slb dns-cache-age command
includes the new parameter honor-server-response-ttl. For more information, see “slb dns-cache-age” in
the Command Line Interface Reference.
page 138
Feedback
NOTE: This feature can also be applied at the virtual port level for DNS caching;
for more information, see “slb template dns” in the Command Line Inter-
face Reference.
Extended SSL/TLS Usage Statistics

The SLB information for SSL is extended to include more detailed information about clients connecting
to virtual servers and virtual ports. The information includes counts for ciphers used, key exchange
methods, renegotiations, and session cache. To access the new statistics, an option for counters is
added to show slb ssl.
NOTE: For more information, see “show slb ssl” in the Command Line Interface
Reference.
Bandwidth Limit per SLB Server and SLB Server Port

This feature supports templates for monitoring and limiting the overall traffic load a real server or port
handles. Once the threshold is reached, ACOS can then avoid selecting such server/port for newer ses-
sions until the traffic load has subsided. It is also possible to enable accounting of traffic to and from
the server, and logging if the traffic limits are exceeded.
NOTE: For more information, see:
• “Configuring Bandwidth Limits for Servers and Ports” in the Application Delivery
and Server Load Balancing Guide.
• “bw-rate-limit” and “bw-rate-limit-acct” in the “slb template server” command
(Command Line Interface Reference).
• “bw-rate-limit” in the “slb template port” command in the Command Line Interface
Reference.
Two new SNMP traps for SLB bandwidth rate limits are also added; bw-rate-limit-exceed and bw-rate-
limit-resume.
NOTE: For more information, see “snmp-server enable” in the Command Line
Interface Reference.
Parsing Multiple Certificates in a Certificate File

This release introduces a change in the way ACOS parses a certificate file containing multiple certifi-
cates. For example, if you are importing a certificate file containing certificates in the following order:
• Intermediate CA
• Root CA
page 139
FeedbackF
Fee
e
• Server
They will be reordered to a proper certificate chain, as follows:
• Server
• Intermediate CA
• Root CA
If the file contains a chain with a missing link or certificates from multiple chains, the file will be rejected.
Enhancements to TCP RST Behavior in TCP and TCP-Proxy Templates

This feature enhances the behavior of reset-rev in TCP and TCP-Proxy templates so that a TCP RST can
be sent when a server is down or disabled. In previous releases, a TCP RST could only be sent when a
server is not up, making no distinction between down or disabled.
NOTE: For more information, see “slb template tcp” or “slb template tcp-proxy” in
the Command Line Interface Reference.
This enhancement can also be found in the GUI by navigating to ADC >> Templates >> L4 and creat-
ing a TCP template. When the Reset Receive checkbox is checked, the Server Status of Down or Dis-
abled is available. Also found in ADC >> Templates >> L7and creating a TCP Proxy template. When
the Reset Receive checkbox is checked, the Server Status of Down or Disabled is available.
Port Override Health Check for Layer 2 DSR Deployments

This feature enables port overrides for health checks in a Layer 2 DSR environment.
For more information, see “slb dsr-health-check-enable” in the Command Line Interface Reference.
Source IP and Source Port Packet Rate Enhancements

The virtual port template CLI commands are enhanced to provide the following functionality:
• A per option to enable packet rate sampling to be defined per 100 ms intervals in addition to one-
second intervals.
• A reset option to send a TCP reset command to kill a session that exceeds a specified packet rate
limit.
NOTE: For more information, see the pkt-rate-limit option for “slb template vir-
tual-port” in the Command Line Interface Reference.
page 140
Feedback
Initial Non-SYN TCP Packet

The non-syn-initiation option is added under virtual port template configuration that allows a TCP ses-
sion to be created when the first TCP packet is non-SYN.
NOTE: For more information, see “slb template virtual-port” in the Command Line
Interface Reference.
TLS Version 1.1 Support for SSL Clients

ACOS supports TLS version 1.1 for SSL communication with clients. While TLS 1.1 may be considered
deprecated by TLS 1.2, some clients do still use the older version. You can enable TLS 1.1 support for
these clients. Beginning in this release, the following versions are supported for ACOS-to-client commu-
nication: SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
FTP Support for SLB Protocol Translation

SLB Protocol Translation (SLB-PT) is now supported for use on FTP virtual ports in a virtual server con-
figuration.
NOTE: For more information see “SLB Protocol Translation” chapter in the Appli-
cation Delivery and Server Load Balancing Guide.
Extended Cache Hit Statistics

This release introduces a URL filter to the show slb cache entries command. The extended statistics
can drill-down to details per cached entry under a particular virtual port. The command now displays
more granular statistics for each cached entry/URL maintained under a cache template that is bound to
a virtual port.
NOTE: For more information, see “show slb cache” in the Command Line Inter-
Fast-HTTP and HTTP Support for url-hash-persist

The feature supports the url_hash_persist parameter in HTTP templates, which is bound to an HTTP or
Fast-HTTP virtual port.
Header insertion in Fast-HTTP more is not supported for POST, GET with data, and Pipeline requests
across two packets. This functionality is supported in HTTP mode.
NOTE: For more information, see “slb template http” in the Command Line Inter-
face Reference.
page 141
FeedbackF
Fee
e
Response to Client POST Request Modification

This feature adds a CLI command to enable the behavior that, when ACOS receives an HTTP Post
request with an Expect:100 Continue, it treats all subsequent inbound packets as belonging to the
request until it receives the expected number of packets for the request.
The current ACOS response to an HTTP Post request with an Expect:100 continue is to receive non-
chunked packets as a part of the request until it receives a response that is not Expect: 100 Continue, in
which case subsequent packets are treated as part of a new request. This behavior remains the default
setting.
The feature is enabled through the 100-cont-wait-for-req-complete command. This command is

enabled in slb-template-http configuration mode and implemented when the template is applied to a vir-
tual server
NOTE: For more information, see the slb template http command in the Com-
mand Line Interface Reference for ADC.
Strict Load-Balancing for Weighted Round-Robin and Least Connection\

This release adds support for strict server load balancing for stateful (Weighted Round-Robin, Least
Connection, and Service Least Connection) load balancing methods.
NOTE: For more information, see “strict-select” in the Command Line Interface
Reference.
Fast-HTTP and HTTP Support for url-hash-persist

This release enables you to use the url-hash-persist parameter in an HTTP template, then bind the
template to an HTTP or Fast-HTTP virtual port.
NOTE: Header insertion in Fast-HTTP more is not supported for POST, GET with
data, and Pipeline requests across two packets. This functionality is sup-
ported in HTTP mode.
NOTE: For more information, see “slb template http” in the Command Line Inter-
FTP Support for SLB Protocol Translation

SLB Protocol Translation (SLB-PT) is now supported for use on FTP virtual ports in a virtual server con-
figuration.
page 142
Feedback
NOTE: For more information about this feature, see “SLB Protocol Translation”
chapter in the Application Delivery and Server Load Balancing Guide.
Load Balancing with the “DNSSEC OK” (DO) Bit

This feature enables the ACOS device to load balance DNS requests from clients supporting DNS Secu-
rity Extensions (DNSSEC) to servers supporting the same. Previously, this feature was only supported
using aFleX scripts (DNS::header).
NOTE: For more information, see “Load Balancing with the “DNSSEC OK” (DO)
Bit” in the Application Delivery and Server Load Balancing Guide.
SMTP Health Check

This release introduces an enhancement for SMTP health checks where the ACOS device generates an
SMTP message after establishing a TCP connection with the server. The message is sent only after the
ACOS device sends the “HELO” message and receives the expected response.
You can use the rcpt-to and mail-from parameters to specify the recipient and sender of this message.
NOTE: For more information, see “method” in the “Config Commands: Health
Monitor” chapter in the Command Line Interface Reference for ADC.
To configure this feature using the GUI, navigate to ADC >> Health Monitors. When you create the
SMTP type of monitor, the Mail From and Receive To fields are available.
Strict Layer 2 DSR Health Checks

The CLI option dsr-l2-strict is added to health monitor configuration to ensure that health check
packets are only sent to servers on the same Layer 2 network as the ACOS device.
To configure this feature using the GUI, navigate to ADC >> Health Monitors. When you create a
health monitor, select the checkbox in the Enable Strict L2dsr health-check field.
NOTE: See “dsr-l2-strict” in the Command Line Interface Reference for ADC for
more information.
Disabling SSL Renegotiation

ACOS allows for renegotiation of SSL connections over previously secured channels. This speeds up
reestablishment of previous SSL connections with known clients. In ACOS 2.7.2-P5, there is an option to
disable SSL and TLS renegotiations, using a Client SSL template. Disabling TLS/SSL renegotiations can
help prevent vulnerabilities that may lead to SSL/TLS renegotiation Man-In-The-Middle Attacks.
page 143
FeedbackF
Fee
e
NOTE: For more information, see “renegotiation-disable” in the Command Line

Interface Reference for ADC.
Advertised Certificate Authorities

This enhancement can be found in the GUI by navigating to ADC >> Templates >> SSL and creating a
Client SSL template. The Client Certificate Request CA drop-down menu includes a list of CA Certifi-
cates that were imported from ADC >> SSL Management >> SSL Certificates. This list is the equiv-
alent of the CLI command show pki ca-cert.
Thales HSM Device Support

ACOS supports the use of Thales Hardware Security Module devices for HTTPS acceleration. See the
“Redirection of Traffic to Thales HSM Devices” chapter of the Application Delivery and Server Load Bal-
ancing Guide for further information about installation and configuration.
NOTE: See the enhanced hsm template template-name thalesHSM command in

the Command Line Interface Reference for further information about the
command options.
Global Server Load Balancing

• Configuring Periodic GSLB Geo-Location Database Synchronization
• GSLB Health Monitors
• Global Server Load Balancing Sticky Persistence Sync
• GSLB Controller-Based Metrics
• GSLB CNAME Load Balancing
• EDNS-Client-Subnet Support for GSLB Geolocation Metric
• DNS Logging Enhancement for GSLB: Log to Remote Servers Only
• Same GSLB Domain Configurations Across Partitions
• GSLB Access Control Support
• EDNS-Client-Subnet Support for GSLB Geo-location Metric
Configuring Periodic GSLB Geo-Location Database Synchronization

To periodically synchronize the geo-location database for GSLB group members, follow these steps:
page 144
Feedback
1. At the global configuration level, import a geo-location database file and set the periodic frequency,
in seconds, to update the geo-location database.
2. Load the geo-location database into the start-up configuration for the GSLB group.
GSLB Health Monitors

A GSLB health check allows for health checks to be synchronized when GSLB configurations are syn-
chronized. Rather than configuring individual health checks to bind to multiple service-IPs on multiple
devices, the GSLB health check allows you to use one health check configuration for all devices in the
GSLB group. If a health check is added after the GSLB configuration is synchronized, it will be put into
effect due to the real-time synchronization.
To configure a GSLB Health Monitor, create a health monitor, specifying the Global Server Load Balanc-
ing configuration level.
Global Server Load Balancing Sticky Persistence Sync

The behavior for synchronizing Global Server Load Balancing (GSLB) sticky persistence is revised; when
GSLB sticky sessions are created or updated, they are now synchronized to the other group members in
different geographic locations.
• When a connection is updated or created on the master, it broadcasts the change to other mem-
bers of the group.
• When a connection is updated or created on a group member, it notifies the master, which broad-
casts the change to other members in the group (excluding the source member).
• The "clear gslb session" and "clear gslb service-group-session" commands cannot be synced.
NOTE: For more information, see “GSLB Synchronization” in the Global Server
GSLB Controller-Based Metrics

GSLB Controller-Based metrics enable each GSLB controller to directly measure active-round delay time
(aRDT or RDT) metric information as derived from its queries to the local DNS (LDNS) server and,
optionally, the site GSLB devices. The current A10 implementation relies solely on GSLB site-based met-
rics, where the controller obtains these metrics from site devices.
The device can be configured to calculate the response delay time by using ICMP packets instead of
DNS requests. In legacy implementations, using RDT as a metric for requires calculating the metric by
sending a DNS request to the originating LDNS Server from the DNS Controller. Some topologies block
outbound DNS requests by firewalls, invalidating this metric. This feature facilitate ICMP packet usage
for calculating response delay time as ping requests and replies pass through the firewall.
page 145
FeedbackF
Fee
e
NOTE: For more information, see “GSLB Controller-Based Metrics” in the Global
Server Load Balancing Guide.
GSLB CNAME Load Balancing

This feature enhances GSLB to reply to GSLB DNS requests with load-balanced CNAMEs records. When
the feature is enabled, a CNAME record is associated with a hostname server through a policy assign-
ment. The ACOS device can then monitor the record’s status through a port-level or server-level health
check.
NOTE: For more information, see “Support for DNS CNAME Records” in the
Global Server Load Balancing Guide.
EDNS-Client-Subnet Support for GSLB Geolocation Metric

This feature causes the ACOS device to read the extra EDNS-Client-Subnet field in a DNS message to
provide more specific geo-location features for DNS queries in GSLB.
NOTE: For more information, see “edns client-subnet geographic” in the Global
DNS Logging Enhancement for GSLB: Log to Remote Servers Only

This feature enhances GSLB logging with an option to send GSLB DNS logs to remote logging servers,
instead of the ACOS device’s log buffer.
NOTE: For more information, see “Configuring DNS Logging” in the Global Server
Same GSLB Domain Configurations Across Partitions

This feature supports configuring GSLB zones, service-IPs, policies, and service-groups with the same
domain on multiple partitions, allowing domains to have independent policies for internal and external
services. This also allows the same domain to be configured on different partitions, regardless of
whether the partitions run in GSLB Server or GSLB Proxy Mode.
In previous releases, GSLB zones on different private partitions had to be configured with different
domains.
NOTE: For more information, see “Zones, Services, and Sites” in the Global
Server Load Balancing Guide. An example configuration can be found in
the “Configure a Zone” section in this guide.
page 146
Feedback
GSLB Access Control Support

This feature provides the ability to filter an AAAA query from the IPv4 or IPv6 source address in GSLB.
Configuration Steps
1. Create a geo-location instead of a class list.
2. Create a GSLB policy to enable geo-location aliases.
3. Create a CNAME record for IPv4 queries only.
EDNS-Client-Subnet Support for GSLB Geo-location Metric

This feature causes the ACOS device to read the extra EDNS-Client-Subnet field in a DNS message to
provide more specific geo-location features for DNS queries in GSLB.
NOTE: For more information, see “edns client-subnet geographic” in the Global
Platform Software Enhancements

• SSH Login Grace Period
• Login Banner Length Increased
• SLB Template Name Length Increased
• Names for Tunnel Interfaces
• Additional CLI Filtering Options
SSH Login Grace Period

This release provides a configurable period of time in seconds after a user connects to the ACOS device,
but before the user is authenticated. For more information, see “ssh-login-grace-time” in the Command
Line Interface Reference.
This enhancement can also be found in the GUI by navigating to System >> Settings >> General.
Login Banner Length Increased

The length of CLI banners (both login and EXEC) is increased to 2048 characters.
page 147
FeedbackF
Fee
e
NOTE: For more information, see “banner” in the Command Line Interface Refer-
ence.
SLB Template Name Length Increased

The maximum length of all SLB template names is increased to 127 characters.
NOTE: For details, see the Command Line Interface Reference for ADC.
Names for Tunnel Interfaces

A name may be specified when configuring tunnel interfaces.
NOTE: For more information, see the name command in “Config Commands:
Interface” in the Network Configuration Guide.
Additional CLI Filtering Options

Additional CLI filtering options are available for show commands to help you find specific desired output.
NOTE: For more information, see “Searching and Filtering CLI Output” in the
Command Line Interface Reference.
Platform Hardware Enhancements

• 40G QSFP+ Twinax Copper Cable Support
• USB License Key for Thunder Bare Metal
• ECDHE Cipher Support - PFS support
40G QSFP+ Twinax Copper Cable Support

Industry-standard 40G QSFP+ Twinax copper cables are supported in all 40G ports.
USB License Key for Thunder Bare Metal

The USB license key allows you to move a license to different Thunder Bare Metal devices via USB.
page 148
Feedback
NOTE: See the Thunder Bare Metal Installation Guide for more information.
ECDHE Cipher Support - PFS support

This feature adds support for ECDHE/DHE key exchange in the server SSL template. Previously, this
was only available for the client side. This enhances hardware performance for server side SSL as the
traffic will not consume any hardware CPU.
CGN Enhancements
• CGN Header Enrichment Matching Domain Names
• Client IP Insertion into HTTPS Requests on CGN/IPv6 Platform
• DDoS Protection Support for Fixed NAT IPs
• MAP-T Domain and Rule Expansion
• MAP-T Support for Share-Ratio and Port-Start
• Modify LSN NAT Pool without Downtime
• Support to Disable Static NAT
• IP Black List for DDoS Protection
• Lw4o6 - Multiple Tunnel Support
• Lw4o6 access-list for Inside IPv4 Clients
• One-to-One NAT Support for NAT64
• Lw4o6 for Port-less Protocols
• IPv4 Identification Value for IPv6 to IPv4 Translation
• Validating Lightweight 4over6 Binding Tables
• Displaying Lightweight 4over6 Binding Table in the Order Configured
• Reduced CPU Overhead for CPU Round Robin
• Configurable LSN RADIUS Table Size
• Enhancement to IP NAT Translation Command
• Enhancement to ECMP Hashing
page 149
FeedbackF
Fee
e
CGN Header Enrichment Matching Domain Names

CGN header is enhanced with the support of domain name ACL matching for LSN/NAT64/DS-lite/6rd-
NAT64/Fixed NAT/One-to-One NAT. The domain name is used to classify traffic if destination IP
address matching fails when the ACOS device does not have the same DNS server configurations as
the client does. This feature supports HTTP traffic that contains a domain name in the HTTP request. A
new CLI http-match-domain-name is provided to allow user to enable/disable matching domain name in
HTTP requests.
Client IP Insertion into HTTPS Requests on CGN/IPv6 Platform

This feature supports client IP insertion into HTTPS client requests for CGN/IPV6 platforms.
The feature allows HTTPS proxy to use CGN pool instead of the regular NAT pool since ADC and CGN
can run in the same partition. The allow-slb-cfg enable command enables the configuration of SLB
objects in CGN partition and disables the check that ACOS executes to prohibit ADC and CGN being
configured in the same partition.
NOTE: For more information, see “Client IP Insertion into HTTPS Requests on
CGN/IPv6 Platform” in the IPv4-to-IPv6 Transition Solutions Guide.
DDoS Protection Support for Fixed NAT IPs

The DDoS protection feature is enhanced to include Fixed NAT IPs.
MAP-T Domain and Rule Expansion

When configuring a MAP-T domain on the ACOS device, the domain configuration is global to all data
interfaces. Each partition supports a maximum of 32 MAP-T domains, and statistics will be logged per
domain.
When creating a MAP-T domain, a Default Mapping Rule (DMR) must first be configured, followed by a
Basic Mapping Rule (BMR The DMR is used to map IPv4 addresses to IPv6 addresses beyond the MAP-
T domain. The BMR configures the IPv6 address or prefix, and allows for MAP-T CPE to configure an
IPv4 address based on the IPv6 prefix. For each BMR, a maximum number of 256 IPv6 IPv4 prefix rule
sets is supported.
Within a MAP-T domain, the ACOS device sits at the edge and acts as the MAP-T Border Relay (BR). The
ACOS device uses the configured DMR and BMR to translate between IPv4 and IPv6 packet headers,
and routes the traffic accordingly onto the respective v6 or v4 networks. Multiple ACOS devices can be
supported as MAP-T BRs in the same MAP-T domain, and all MAP-T BR devices within the domain
share the same DMR and BMR.
NOTE: For more information, see “MAP-T Domain and Rule Expansion” in the
IPv4-to-IPv6 Transition Solutions Guide for configuration details.
page 150
Feedback
MAP-T Support for Share-Ratio and Port-Start

All MAP-T domains require a configured DMR and a configured BMR. Support is available for share-
ratio and port-start options for the rule-ipv4-prefix in BMR. All MAP-T domains require a configured
DMR and a configured BMR. When configuring a CE address assignment, the Embedded Address (EA)
bits length needs to be specified if assigning an IPv4 NAT address prefix. The share-ratio and port-
start parameters must be specified when assigning a shared IPv4 NAT address.
Both the share-ratio and port-start parameters must be in the values of the power of 2. The share-
ratio parameter can be up to 65,536 while the port-start parameter can be up to 32,768.
The old options psid-length and psid-offset are deprecated.
NOTE: For more information, see “MAP-T Support for Share-Ration and Port-
Start” in the IPv4-to-IPv6 Transition Solutions Guide for configuration
details.
Modify LSN NAT Pool without Downtime

When sessions are running, you can edit or modify the NAT pool without the need to clear the sessions
first. When the NAT pool is modified, the current session is kept active on the old pool in the background
until the sessions end. New sessions are mapped to the new NAT pool using new NAT addresses.
When all sessions using old NAT addresses end, ACOS releases the old NAT addresses from the sys-
tem.
If the public NAT IP is distributed using a routing protocol (for example, BGP), ACOS stops redistributing
the old public IP address until all the sessions using this public IP is cleared first in the background. New
public IP addresses are redistributed immediately when the NAT pool is modified.
Support to Disable Static NAT

Disabling Static NAT mappings can now be done using the GUI.
In the GUI, see the online help on the ADC >> IP Source NAT >> Static NAT page.
IP Black List for DDoS Protection

ACOS offers more nuanced DDoS protection by being able to Black List individual IP addresses in a NAT
IP pool.
When a DDoS attack, targeted towards a specific IP address within a NAT IP pool, is detected, then the
ACOS device will add that IP address to the Black List. Future traffic to the given NAT IP will be dropped
until the configured Black List time limit has passed. The ACOS Black List can contain up to 1024 IP
addresses at any given moment.
page 151
FeedbackF
Fee
e
• To configure NAT IP Black Listing for DDoS protection, options are available using the cgnv6
ddos-protection packets-per-second ip command.
• The cgnv6 ddos-protection logging enable command is used to enable event logging for DDoS
protection.
• The cgnv6 ddos-protection logging disable command is used to disable event logging for
DDoS protection.
Event logging for DDoS protection must be enabled in order to log and view the Black Listed NAT IP
addresses.
NOTE: For more information, see “IP Black List for DDoS Protection” in the IPv4-
to-IPv6 Transition Solutions Guide.
Lw4o6 - Multiple Tunnel Support

ACOS is enhanced to support multiple tunnel-endpoint addresses in the binding table. Each entry can be
configured with its own tunnel-endpoint address. A maximum of 32 tunnel-endpoint addresses are sup-
ported per binding table.
To configure multiple tunnel-endpoint addresses in a Lw4o6 binding table, the new CLI tunnel-IPv6-
address [NAT-ipv4-address port num to num ipv6-tunnel-endpoint-address] command replaces
the deprecated lw-4o6 tunnel-endpoint-address command.
For more information, see “Lw4o6 - Multiple Tunnel Support” in the IPv4-to-IPv6 Transition Solutions
Guide.
Lw4o6 access-list for Inside IPv4 Clients

An Access Control List (ACL) can be applied to Lightweight 4over6 traffic from the inside client. Both an
IPv4 standard ACL and an IPv4 extended ACL can be applied to Lightweight 4over6 traffic. The behavior
of the ACL filtering remains the same.
The cgnv6 lw-4o6 inside-src-access-list command is added to apply an ACL to Lightweight 4over6
traffic.
NOTE: For more information, see “Lw4o6 access-list for Inside IPv4 Clients” in
the IPv4-to-IPv6 Transition Solutions Guide.
One-to-One NAT Support for NAT64

One-to-one NAT support is extended for NAT64. ACOS provides support for the one-to-one NAT map-
pings based on the destination IP address. When an inside client connects to a server, ACOS creates a
one-to-one NAT mapping with a bidirectional NAT, which allows outside clients to connect to any port
on the inside client.
page 152
Feedback
There are no new commands to configure one-to-one NAT for NAT64, but options are added to display
and clear the mappings for a specific IPv6 inside address.
• The show cgnv6 one-to-one mappings inside-address-ipv6 command is added to display one-
to-one NAT mappings for a specific IPv6 inside address, enter the following commands:
• The clear cgnv6 one-to-one mappings [inside-address-ipv6 ipv6-address] inside-address-
ipv6 command is added to clear the mappings.
NOTE: For more information, see “One-to-One NAT Support for NAT64” in the
IPv4-to-IPv6 Transition Solutions Guide.
Lw4o6 for Port-less Protocols

Lightweight 4over6 is enhanced to support port-less protocols, like GRE. In order to allow traffic from
port-less protocols to use Lightweight 4over6 tunnels, an entire NAT IP address must be allocated to a
single user in the Lightweight 4over6 binding table. To do this, a single binding table entry needs to be
configured with the full port range from port 1 to port 65535.
No additional configuration changes are needed to configure Lightweight 4over6 support for port-less
protocols, outside of assigning a full NAT IP address to a single user within the binding table.
NOTE: For configuration examples, see “Lw4o6 for Port-less Protocols” in the
IPv4 Identification Value for IPv6 to IPv4 Translation

ACOS NAT64 translation is enhanced to prevent translated IPv4 packets from being blocked during
IPv4 identification checking on security devices. The following command is added to the CLI:
The cgnv6 nat64 force-non-zero-ipv4-id [all] command is added to enable a non-zero Identification field
in the IPv4 packet header to be set if there is no IPv6 fragment header.
NOTE: For more information, see “IPv4 Identification Value for IPv6 to IPv4
Translation” in the IPv4-to-IPv6 Transition Solutions Guide.
Validating Lightweight 4over6 Binding Tables

Lightweight 4over6 is enhanced to include new commands for binding table validation which checks an
imported binding table and logs all the error entries into a file. If any error entries are found, a warning
message indicates that errors are present in the validated binding table.
page 153
FeedbackF
Fee
e
The cgnv6 lw-4o6 binding-table-validate command is added to check an imported binding table and
logs all the error entries into a file.
The show cgnv6 lw-4o6 binding-table-validation-log files command is added to show the error
files resulting from the lw-4o6 binding-table-validate command.
NOTE: For more information, see “Validating Lightweight 4over6 Binding Tables”
in the IPv4-to-IPv6 Transition Solutions Guide.
Displaying Lightweight 4over6 Binding Table in the Order Configured

Previously, the show lw-4o6 binding-table command displayed binding table entries in the random order
that they were retrieved from the hash table. A new entries option is added to the show cgnv6 lw-4o6
binding-table command to show the binding table entries in the order that they are added either man-
ually or from a file.
NOTE: For more information, see “Displaying Lightweight 4over6 Binding Table
in the Order Configured” in the IPv4-to-IPv6 Transition Solutions Guide.
Reduced CPU Overhead for CPU Round Robin

When CPU Round Robin is triggered, the packets are distributed across all available CPUs for process-
ing in order to avoid oversubscribing on the targeted CPU.
If LSN is enabled, then ACOS checks for an existing full cone session, port reservation, or ALG session. If
Fixed NAT is enabled, then ACOS checks for an existing full cone session or ALG session. If none of
those conditions are met, then the packet is dropped.
CPU round robin for CGN is enabled by default. All dropped packets increment the “L4 Out-of-State
packets” in the show cgnv6 l4 debug command.
NOTE: For more information, see “Reduced CPU Overhead for CPU Round
Robin” in the IPv4-to-IPv6 Transition Solutions Guide.
Configurable LSN RADIUS Table Size

The LSN RADIUS table’s maximum number of entries varies depending on the memory size of the par-
ticular ACOS platform. The LSN RADIUS table size only limits the maximum number of entries sup-
ported for each platform. You can choose to configure a custom size for your LSN RADIUS table, not to
exceed the maximum.
• To configure a custom LSN RADIUS table size, a new radius-table-size option is added to the
cngv6 resource-usage command.
page 154
Feedback
• To view the current LSN RADIUS table size, as well as the default, maximum, and minimum values
allowed for your platform, a new radius-table-size entry is added to the show cgnv6 resource-
usage command.
NOTE: For more information, see “Configurable LSN RADIUS Table Size” in the
Enhancement to IP NAT Translation Command

This release introduces an enhancement to the ip nat translation command. Similar to its usage in SLB
virtual-port templates, ignore-tcp-msl will immediately reuse TCP sockets after session termination,
without waiting for the Maximum Session Life (MSL) time to expire. This is disabled for by default.
NOTE: For more information, see “ip nat translation” in the Command Line Inter-
face Reference.
Enhancement to ECMP Hashing

ECMP route and link load balancing is enhanced to support 4-tuple hashing based on Source IP, Source
Port, Destination IP, and Destination Port. This is available for UDP/TCP in LSN, Fixed-NAT, NAT64,
Fixed-NAT64, and Gi-FW transparent sessions only. In all other cases, hashing is based on the previ-
ously existing functionality of destination IP only.
NOTE: See the cgnv6 ecmp 4-tuple-hash command in the Command Line Inter-
face Reference for CGN for more information.
page 155
FeedbackF
Fee
e
page 156
ACOS 4.x Platform Support Information
This chapter summarizes platform support information for the ACOS 4.x releases.
• Hardware Platform Support
• Virtual Appliance Support
• Jumbo Frames: Supported Platforms
• Supported Number of Partitions Per Platform
• Splitter Cable Support for Quad Small Form-factor Pluggable on 40-Gigabit Ports
Hardware Platform Support

The following Table 4 lists the supported hardware devices and their respective minimum releases; for
example:
• A device with “4.0.1” in the Minimum Release column would not support release 4.0.0.
• A device with “4.0.0” in the Minimum Release column would be supported on 4.0.0 and all later
releases, unless otherwise noted.
Unless otherwise specified, all platforms are FPGA-enabled.
TABLE 4 ACOS 4.x Supported Hardware Platforms

A10 Thunder Series Devices Minimum Release AX Series Devices Minimum Release
Thunder 7440(S) 4.1.0-P5 AX 5630 4.0.0
Thunder 6635(S) 4.0.1 AX 3530 (non-FTA)1 4.0.0
Thunder 6630(S) 4.0.0
Thunder 6440(S) 4.1.0-P5
Thunder 6435(S) 4.0.0
Thunder 6430(S) 4.0.0
Thunder 5840(S) 4.1.0-P5
Thunder 5630(S) 4.0.0
Thunder 5440(S) 4.1.0-P5
Thunder 5435(S) 4.0.0
Feedback page 157

FeedbackF
Fee
e
Virtual Appliance Support
TABLE 4 ACOS 4.x Supported Hardware Platforms

A10 Thunder Series Devices Minimum Release AX Series Devices Minimum Release
Thunder 5430(S)-11 4.0.0
Thunder 5430(S) 4.0.0
Thunder 5330(S) 4.0.1
Thunder 4440(S) 4.1.0-P5
Thunder 4435(S) 4.0.0
Thunder 4430(S) 4.0.0
Thunder 3430(S) 4.0.1
Thunder 3230(S) 4.0.1
Thunder 3040(S) (non-FTA) 4.1.1-P2
Thunder 3030S (non-FTA) 4.0.0
Thunder 1030S (non-FTA) 4.0.0
Thunder 930 (non-FTA) 4.0.0
Thunder 840 (non-FTA) 4.1.0
1. This device is no longer available for purchase as of November 23, 2015.
Virtual Appliance Support

The following Table 5 lists the supported virtual appliances and their respective minimum releases, for
example:
• A device with “4.0.1” in the Minimum Release column would not support release 4.0.0.
• A device with “4.0.0” in the Minimum Release column would be supported on 4.0.0 and all later
releases, unless otherwise noted.
TABLE 5 ACOS 4.x Supported Virtual Appliances

vThunder Virtual Appliances Minimum Release
Thunder Bare Metal 4.1.0
vThunder for AWS 4.0.1
vThunder for Azure 4.0.0-SP2
vThunder for VMware ESXi 4.0.0
vThunder for KVM (with SR-IOV) 4.0.0
vThunder for KVM 4.0.0
vThunder for Hyper-V 4.0.0
page 158
Feedback
Jumbo Frames: Supported Platforms

The following Table 6 summarizes the jumbo frame support per platform for the 4.x releases.
TABLE 6 Jumbo Frame Support for ACOS Models

FTA Model? Model Jumbo Frame support?
Yes. Thunder 7440(S) Yes
These models feature the Flexi- Thunder 6635(S)

ble Traffic ASIC (FTA).
Thunder 6630(S)
Thunder 6435(S)
Thunder 6430(S)(S)
Thunder 5840(S)
Thunder 5630
Thunder 5435(S)
Thunder 5430(S)-11
Thunder 5330(S)
Thunder 4430(S)
Thunder 3430(S)
Thunder 3230(S)
AX 5630
AX 3200-12
page 159
FeedbackF
Fee
e
TABLE 6 Jumbo Frame Support for ACOS Models

FTA Model? Model Jumbo Frame support?
No. Thunder 3040(S) Yes1
These models do not use FTAs. Thunder 3030S
AX 3530
Thunder 1030S No
Thunder 930
Thunder 840
vThunder for VMware ESXi Yes2
vThunder for KVM (with SR-

IOV)
vThunder for KVM

vThunder for AWS No
vThunder for Hyper-V
vThunder for Azure

1. Jumbo frames were not supported on the Thunder 3030S and AX 3530 platforms in ACOS release 4.0.0.
2. Jumbo frames are NOT supported for vThunder for VMware ESXi when it is in DPDK mode.
page 160
Feedback
Supported Number of Partitions Per Platform
Supported Number of Partitions Per Platform

The following Table 7 lists the ACOS devices supported with this release, along with the maximum num-
ber of supported L3 V partitions for each device.
TABLE 7 Supported Number of L3V Partitions per Device

Device Maximum Number of L3V Partitions Supported
Thunder 6635(S) (FTA) 1023
Thunder 6630(S) (FTA)
Thunder 5435/5435S (FTA)
Thunder 5430-11/5430S-11 (FTA)
AX 5630 (FTA)
Thunder 5330/5330S (FTA) 127
AX 5200 (FTA)
AX 3530 (Non-FTA)
Thunder 3230/3230S (FTA) 64
Thunder 3030S (Non-FTA)
AX 3200-12 (FTA)
Thunder 1030S (Non-FTA) 32
Thunder 930 (Non-FTA)

vThunder 32
page 161
FeedbackF
Fee
e
Splitter Cable Support for Quad Small Form-factor Pluggable on 40-Gigabit Ports
Splitter Cable Support for Quad Small Form-factor

Pluggable on 40-Gigabit Ports
The Quad Small Form-factor Pluggable (QSFP) port can be configured to serve a dual purpose. A 40-
Gigabit Ethernet port can be configured as one 40 Gigabit port or four 10-Gigabit ports.
See “Splitter Cable Support for QSFP 40G Ports” for your specific hardware model installation guide for
more information on configuration.
page 162
Issues Fixed in ACOS 4.1.1
This chapter describes the issues fixed in ACOS 4.1.1:
• Issues Fixed in Release 4.1.1-P13
• Issues Fixed in Release 4.1.1
For each issue, the following information is provided:
• A10 Tracking ID
A10 Networks tracking identifier.

• System Area
Part of the system that had the issue (for example, IP NAT, SLB, or aFleX).
• Severity
Indicates the impact the issue had or could potentially have:

• Critical
Issue caused or can cause a service outage or a reload of the ACOS device.
• Major
Feedback page 163

FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P13
Major issue that caused or could cause a major service outage.

• Normal
Relatively minor issue that caused or could cause a minor service outage.
• Issue Description
Description of the issue in detail.

• Version Reported
Software version(s) in which the issue is present.

Later versions (including the version documented by this release note) are not affected by the
issue.

The issues fixed for the version 4.1.1-P13 are listed in the Table 8. The issues are listed by A10 tracking
ID, beginning with the highest issue ID (the most recently logged issue)
TABLE 8 Resolved Fixed Bugs - Issues Fixed in Release 4.1.1-P13

A10
Tracking System Version
ID Area Severity Description Reported
510082 Logging Critical On a system with heavy logging, the control CPU 4.1.1-P12-
Infrastruc- may stay consistently high, when combined with SP1
ture the regular GUI operation. The issue is timing-
related and may get triggered, if a GUI operation
gets stuck while fetching system information, such
as memory or CPU utilization.
509935 SLB-L4 Major During the CPU round-robin processing, traffic 4.1.1-P9
matching the existing session was sent back to the
home CPU, resulting in higher data CPU condition,
on the target CPU.
509440 CGN-Infra Major It was observed, the connection was having a few 4.1.1-P12
issues in the show session, and as a result, the
ACOS device was getting crashed.
page 164
Feedback

A10
508825 Health- Major In ACOS 4.1.1-P12-SP1, removing the service group 4.1.1-P12-
Monitor- from VIP had caused health check failure due to SP1
DSR HTTP time out.
The failure was triggered when the service group

was unbounded and rebounded to DSR vPort.
As a workaround, the health check on the service

group was rebounded.
508751 SSL Major The SLB device closed the connection after receiv- 4.1.4-
ing client hello, which had TLS version 1.1 in the GR1-P2
recording layer, but TLS 1.2 in the message.
507436 System - Major The slow memory leak was observed in the 5.1.0-P2
platform A10scmd process.
506724 Web - ADC Minor The CSP was missing in some cases or had unsafe- 5.0.0
CGN inline or unsafe-eval, which needs to be removed.
506497 HW Critical The system restarted due to PCI NOT READY when 4.1.1-P9
the physical port was enabled and it caused port
flapping for 4 to 5 minutes.
506383 GiFW Infra Major When the incoming port and the outgoing port were 4.1.1-P5-
different and their extended-matching was disabled, SP2
the ICMP response was dropped.
The UDP/TCP/SCTP was not getting forwarded

when received from another interface from the
same zone.
506179 SSL Major There was an overflow bug in the x64_64 Montgom- 5.1.0
ery squaring procedure used in exponentiation with
the 512-bit module.
504745 System - Major There was a memory leak caused by the OCSP 4.1.1-P11
platform authentication, which is a part of the AAM.
504088 SLB-HTTP Major The HTTP pipeline process may go on hold or crash 4.1.1-P10
when there were pending requests in the queue,
and the server responded with a close connection in
the header.
501772 SSLi Major When a close-notify alert was received from the 4.1.1-P6
server on an SSLi server-side connection, where an
SSL renegotiation was triggered, the connection
may be closed prematurely, even though all the
data was not acknowledged yet by the client.
501240 AAM Major It was observed while configuring the debug packet 4.1.1-P13
filters, it did not get applied to the debug auth.
page 165
FeedbackF
Fee
e

A10
500551 SSLi Critical When trying to clear the cached certificate with the 4.1.1-P12
IP and the server name, the ACOS was crashing.
This crash was a result of the mismatch, in the due

date structure defined in the data path and the con-
trol path, which had different sizes, and eventually,
causing memory corruption.
500419 SLB-HTTP Major For multiple request proxy connections, when the 4.1.4-
original server was down, the alternative server was GR1-P2
reselected after receiving the request in keepalive
state.
The current connection of the server did not decre-

ment after the reselection. This impacted the traffic
due to the incorrect current connection count.
To resolve the issue, it was recommended to

remove and reconfigure the rport to reset the statis-
tics.
500287 SSL Major The information was disclosed in PKCS7_dataDe- 4.1.1-P12
code and CMS_decrypt_set1_pkey.
499846 Health- Major The DSR Health check sent out to incorrect over- 4.1.1-P9
Monitor- ride-port after configuration change caused the
Infra health-check failure.
To mitigate this risk, it was recommended to

remove the health-check and reapply the same
health-check under the service-group.
498828 Web 3.0 Major When connected to the ACOS GUI, session tokens 4.1.4-
exhibited low entropy (“randomness”). GR1-P2
498217 System - Major It was observed, when accessed through the con- 4.1.1-P8
manage- sole, the session did not get timed out.
ment
As a result of this, even when the session was not
used for a long time, the user remained in the
logged-in status.
To mitigate this risk, it was recommended to either

log-in the console to exit or reboot the box.
page 166
Feedback

A10
497129 SLB-Config Major when upgraded from ACOS version 411-P8 to the 4.1.1-P11
version 411-P11, the “no-dest-nat” disappeared.
Note: Starting from the ACOS release versions

4.1.1-P12 and 4.1.4, there is an additional check
added. It helps and prevents the user from configur-
ing the ‘no-dest-nat’ feature under a virtual-server if
the same service-group under the virtual-server in
question is bound to another virtual-server.
In some cases, there may be a specific requirement,

where the user needs to bind one service-group
under multiple virtual-server with ‘no-dest-nat’
enabled.
To accommodate such requirements, a new config-

uration option is added in 4.1.1-P13 and 4.1.4-GR1-
P3 onwards.
Reference: For more information on this enhance-

ment, see the following feature section, Same Ser-
vice-group Binding on Different “no-dest-nat”(DSR)
Virtual Ports.
496744 Health- Critical The DSR Health check sent out to incorrect over- 4.1.1-P9
Monitor- ride-port after the configuration change caused the
DSR health-check failure.
To mitigate this risk, remove the health-check, and

reapply the same health-check under the service-
group.
495755 Router Major When the static route was deleted in certain cases, 4.1.1-P11
it was shown in the IP route table, but not in the IP
rib.
495676 SLB-HTTP Major The ACOS did not forward the second response 4.1.1-P8
payload to the client when multiple HTTP response
codes were present in a single packet.
495519 Web - ADC Minor The browser used to save sensitive information in 4.1.4-
CGN the HTML form. GR1-P2
487612 AAM Critical It was observed, the AAM authorization was getting 5.0.0
failed. The issue was resolved and it started work-
ing normally, after a corrective measure of checking
the write memory and rebooting.
page 167
FeedbackF
Fee
e

A10
477124 HW Critical When rebooting the device, the 40Gig Ethernet 27/ 4.1.1-P9
28 with specific QSFPs was going down. The rem-
edy was to add SWDM4 QSFP+ and 100G SWDM4
optics support.
475021 SSL Major The email notifications were not sent, after the 4.1.0-P11
expiry of the SSL certificate.
462169 SLB-TCS Major When the import-periodic command was used in 4.1.0-P9
the ACOS, the PFX certificate did not get imported
periodically, and not even after 60 seconds, as con-
figured.
444037 AAM Critical It was observed, when trying to edit the aFleX, the 4.1.4-P2
ACOS was getting crashed.
394444 VCS Critical It was observed, a VCS cluster on 8 instances could 4.1.2-P2
not be formed, using the data interfaces.
388861 Web - ADC Major It was observed, the attempts to upload a complete 4.1.1-P2
CGN certificate chain from the GUI was failing, and only
the server certificate was successfully being sent.

The issues fixed for the version 4.1.1-P12 are listed in the Table 9. The issues are listed by A10 tracking
ID, beginning with the highest issue ID (the most recently logged issue)

A10
497136 AAM Major Some of the SAML logs were available under the other 4.1.1-P8
VIPs even after the filter 'debug auth virtual-server [VIP-
name]' was applied.
496942 GSLB Major The softHSM configuration was getting failed and 4.1.1-P9
aborted whenever the password was set with special
characters such as \.$.
496686 AAM Critical When aFleX is configured to trigger actions, based on the 4.1.1-P8
SAML attributes, the user may experience login failure
for a short duration, if the user tries to access a URL
immediately after logging out of the previous session.
page 168
Feedback

A10
496474 SLB-NAT Major The DNS response was getting dropped in those scenar- 4.1.1-P10
ios, where multiple DNS requests were using the same
tuple. It was noticed as the traffic failure, while running
the DNS load test, using resperf tool, with 'ip nat inside/
outside' in ADC partition.
496066 HSM Major The softHSM configuration was getting failed and 4.1.1-P9
aborted whenever the password was set with special
characters such as \.$.
495568 SSLi Major In GUI, displaying forge certs was causing high control 4.1.1-P10
CPU. A few new filters are now added in the GUI to allow
the users to retrieve specific certs and also reducing the
control CPU usage.
495565 SSLi Major The command show slb ssl-forward-proxy-cert 4.1.1-P10
<name> <port> all is deprecated, as it may cause high
control CPU resulting in system issues. Users are
encouraged to use show slb ssl-forward-proxy-
cert <name> <port> <IPadrress> command instead,
to retrieve specific certs.
495259 Health-Mon- Major When lib curl is used for external health checks, the 4.1.1-P5
itor-Infra system memory usage may grow gradually.
494610 AAM Critical Although the ACOS device was not getting reloaded or 4.1.1-P8
rebooted, still the status of the VRRP was changing. This
was due to the inappropriate internal buffer operation in
SAML library, resulting in the memory to overwrite, and
crash a10samld.
494425 SSLi Critical While retrieving a certificate for forging, the source NAT 4.1.1-P10
port was leaking, and the connection setup was failing.
To mitigate this risk, it is suggested not to use the for-
ward-proxy-source-nat.
494068 Web Cate- Major Due to the timeout, while receiving the data from the 4.1.1-P10
gory - URL BrightCloud server, an error message “Failed to receive a
Filtering response from the server x.x.x.x port 80 error Resource
temporarily unavailable” may be observed. To mitigate
this risk, it is advised to expand and enhance the “server-
timeout” under “web-category” config (The default value
is 15 seconds).
493753 SSL Major The SSL module was missing after an upgrade from 4.1.1-P11
2.7.2-P14 to 4.1.1-P11. The SSL key memory initialization
was failed, when the number of PX was increased on a
low memory system, and due to the invalid calculations.
492694 Web - ADC Major In the GUI mode, the “PartitionSlbServiceAdmin” user 4.1.4-P3
CGN could not manage partitions. The user configured “Parti-
tionSlbServiceAdmin” in RADIUS, using the ClearPass
Policy Manager, to manage two partitions, but could only
manage one partition. This role earlier worked on the
older version of ACOS 4.1.1-P3, but after upgrading to
the version 4.1.1-P8, it stopped working.
492106 System - Enhance The 'showtech' files did not show the complete log 4.1.1-P8
platform ment records, as the log file size limit was small, and the parti-
tion limit was maximum.
page 169
FeedbackF
Fee
e

A10
491027 Health-Mon- Critical The NTP SLB health monitor were failing, when the peer 4.1.1-P8
itor-L7 clock stratum value was 15 for the NTP protocol.
490865 SSLi Major When the 4.1.1-P8 was upgraded to 4.1.1-P11, it was 4.1.1-P11
found that the “no-dest-nat” was missing, and attempts
to add the config resulted in an invalid status. On SSLi
Explicit Proxy virtual port, the same service-group with
the “no-dest-nat” combination was not allowed to config-
ure to multiple HTTP virtual ports.
488695 Health-Mon- Major Due to an error in an internal python script, the database 4.1.1-P10
itor-L7 health monitor script did not work as expected in the
ACOS 4.1.1-P10 and ACOS 4.1.1-P11 versions. To miti-
gate this risk, the same functionality can be done
through an external database health check script.
487996 L2/L3 Major When the “system ve-mac-scheme system-mac” com- 4.1.0-P10
mand was configured in the VRRP in-line deployment
mode, the active box in the L3V partition forwarded the
ARP packets of the standby box.
485272 Explicit Major The App buffer leak might happen in EP(TP)+proxy- 4.1.1-P9
Proxy chain+ssli scenario. On the FPGA platform, high layer
modules need to free buffer on their own. The buffers are
available in various states and threads. The app buffer
leaks could be seen stuck “in App” state.
441538 SLB-DSR Critical Under certain circumstances, in L2 DSR deployment, the 4.1.1-P6
ACOS did not send any health-check information to the
real server. This change was to block the same service-
group from binding to multiple virtual ports in the DSR
health-check scenario, as it could result in unwanted
behavior in health-check. It also helped in identifying the
connected VIP or all the VIPs associated with the con-
cerned service-group, when it was down. By enabling the
health check again, this can be addressed.
401023 Health-Mon- Major The health monitor for MySQL database leaves an erro- 2.7.2-P11
itor-L7 neous log message on the server when the TCP socket
for the health monitor was closed without a “QUIT” or
“Exit” command.
387028 VCS Major Using ACOS GUI, file import for an AppCentric Template 4.1.0-P9
package upgrade process was failing, when aVCS was
used. Once this issue was triggered, the upgrade or
downgrade process for the ACT template was not possi-
ble. To mitigate this risk, it is suggested to upgrade to
4.1.4 version.
page 170
Feedback

The issues fixed 4.1.1-P11 are listed in the Table 10. The issues are listed by A10 tracking ID, beginning
with the highest issue ID (the most recently logged issue)
TABLE 10Issues Fixed in Release 4.1.1-P11

A10
485527 CGN-Infra Major The configurable "ip frag timeout" range <4-16000> did 4.1.4-GR1
not match the default value (60000) and was not
included in "show run with-default" output.
484792 Explicit Major In the proxy-chaining scenario when a CONNECT request 4.1.1-P10
Proxy arrives, Thunder had a server certificate for the request.
When a DNS query is required, the request is not handled
correctly.
484720 WAF Major Failing to get the full page in case of a large page if both 4.1.1-P10
form consistency/csrf check and no-cache are enabled.
484369 SLB-L4 Major Issues with creating sessions on standby device via 4.1.1-P11
VRRP-A session sync. The following error was generated:
Conn Sync Zone Failure: 6326. Error counter in the “show
vrrp statïc” command kept increasing becaue the zone id
of session sync message was not being initialized.
484351 SSLi Major The "show slb ssl-forward-proxy-cert" command causes 4.1.1-P9
unexpected behavior when used during heavy traffic with
a high number of cached certificates. In this case, the
"show slb ssl-forward-proxy-status" command is prefera-
ble.
483859 SSLi Major When ACOS verifies client's certificate with OCSP server, 4.1.4-P2
it may crash if the OCSP timeout expires.
481906 SLB-HTTP Major Dynamic priority of DRS does not update after it is 4.1.1-P5
changed from CLI.
481690 L2/L3 Major ip mgmt-traffic web source-interface loopback 1 did not 4.1.0-P11
work for httpd, while acting as a web agent to handle
axapi request.
480859 Web - ADC Major When searching text such as "Mar 06" in the GUI under 4.1.1-P11
CGN System >> System Log >> search button, results will
appear in multiple pages, and clicking next in the pagina-
tion bar will show no items.
480823 SLB-Config Major A system crash occurred when the service group was 4.1.1-P6
modified.
480613 SLB- Major Vports of type radius with stateless-per-pkt-round-robin 4.1.4-GR1
RADIUS method randomly dropped radius responses.
480562 aXAPI v3 Major The AXAPI RIB call does not support ECMP. Paged 4.1.1-P11
requests greater than 30 entries for the AXAPI RIB fails
480559 aXAPI v3 Major The AXAPI RIB call did not support ECMP. The “/axapi/ 4.1.1-P8
v3/ip/rib/oper” option only displayed thefirst entry for
dynamic (BGP) ECMP route. Paged requests for more
than 30 entries for the AXAPI RIB also failed.
page 171
FeedbackF
Fee
e

A10
480388 Web - ADC Major GUI reports zero when a10Stat misses the timing of writ- 4.1.2-P3-
CGN ing data into rrd file. When accessing GUI Dashboard >> SP2
CGN, customer sees a drop in at least one graph. There
was no corresponding no traffic drop reported by users
or any other connected networking devices. A 40x
response code was not found in varlog
480229 System - Major A trunk interface flap was caused by an LACP PDU being 4.1.1-P5-
platform sent on the wrong interface. This is a rare condition. SP2
480175 SLB-HTTP Major When the DRS server is deleted because of TTL expiry, 4.1.4-P2-
server side connections formed by the connection-reuse SP1
feature were not yet fully deleted. This results in new cli-
ent connections using existing server-side without using
the server state which was deleted. This issue can be
seen with a normal non-DRS server as well.
480061 WAF Critical POST request with application/json and charset (any) 4.1.1-P8
and content-encoding gzip. The uncompressed data
sometimes has zero length chunks that cause a malloc
error and, hence, an assert crash.
479968 SLB-HTTP Critical When the http server response has neither “content- 4.1.1-P8
length” nor "transfer-encoding" and the http template
“response-content-replace” option is configured, ACOS
uses chunked encoding but does not send the last chunk
to the client because it does not support this case.
479038 SSL Major In server SSL configurations, SSL connection could not 4.1.4-GR1
be establish when the server uses certificate without sub-
ject and SAN section.
479014 WAF Major A high hit count is noticed in the AX3200-12 box for uri- 4.1.0-P8
blist-check values.
478900 SSL Major The traffic fails when GCM cipher is selected on the back- 2.7.2-P12-
end server side with client-ssl template. SP3
478858 aFleX Major When using aFlex on L4 TCP VPort which has 4.1.4-GR1-
TCP::respond statement under SERVER_CONNECTED P1
event, buffers could be stuck when used together with
syn-cookie. Both SW and HW syn cookie exhibits the
behavior.
478372 ConfigMgr Major The "hm" privilege was not available in the GUI. 4.1.1-P10
478267 SNMP Major Memory leak on a10snmpd was caused by snmpwalk 4.1.4-P1
multiple OIDs.
477868 aXAPI v3 Major Frequent axAPI calls to write to all partitions causes all 4.1.0-P11
forms of the software to hang. This includes the GUI, CLI,
and axAPI sessions.
477826 GSLB Major You might experience high memory usage when adding a 2.7.2-P12-
GSLB group configuration and synchronizing the current SP3
session to the group configuration.
477757 AAM Major The HTTP OPTIONS method is supported for Security 4.1.1-P9
Assertion Markup Language (SAML) authentication on
the virtual port.
477124 HW Critical When rebooting the device, the 40Gig Ethernet 27/28 4.1.1-P9
with specific QSFPs goes down. Remedy was to add
SWDM4 QSFP+ and 100G SWDM4 optics support.
page 172
Feedback

A10
476674 System - Major Sometimes the user sees a log message indicating the 4.1.1-P9
platform voltage is below threshold. There is no specific trigger.
476596 Web - ADC Critical When the browser is in a dfferent timezone as the Thun- 4.1.1-P9
CGN der device, the time of chart may display incorrectly.
476539 GSLB Major When disable is omitted from dns record commands 4.1.1-P8-
under zone->service, the disabled service was not reset SP1
properly.
475738 SLB-L4 Major When a short aging value is configured (1-30 seconds), 4.1.1-P9
and no response is received, the session age turns to 2
seconds if ACOS UDP virtual port receives duplicate que-
ries in a short time.
473392 GSLB Major GSLB geo-location objects defined by special characters 4.1.4-P3
cannot be configured by the CLI and the GUI hangs when
the object is saved.
471484 System - Major The "write memory primary/secondary partition <parti- 4.1.1-P5
manage- tion name>" incorrectly saves the partition configuration
ment as the shared partition's startup-configuration.
471481 System - Major 100G QSFP28 ports are disabled when a TH7440-11 is 4.1.4-P3
platform reboobted and has a system mon-template setting that
disables links.
470689 L2/L3 Major After upgrading TH3230/TH3430 to Version 4.1.0-P11 4.1.0-P12
(from 4.1.0-P7), the line protocols remain down even
after the physical interfaces are up. This results in LACPD
running without sending packets.
470359 SLB-HTTP Major Enhance HTTP URL/header warning message when 4.1.0-P11
header name length exceeds maximum limit to include
Source/Dest IP address and port numbers.
470047 SLB-L4 Major The idle timer expires within 60 sec when half-open-idle- 4.1.4-P2
timeout is configured upon the tcp-proxy. The causes a
session to not use the idle timer even when a client con-
nection is established. As a result, tcp proxy applications
age-out when they do not contact the back-end server for
more then 30 seconds.
468385 aFleX Major System may reload when it parses DNS record type 10 2.7.2-P7-
with content string longer than 300 bytes. SP3
468224 Web - ADC Major GUI displays "communication error with lb process" when 4.1.1-P9
CGN saving a configuration within a private partition.
465358 DP-Infra- Major aFlex may sometimes reload when dynamically updating 2.7.2-P12
BW-Class- a class-list and using the aXAPI. This issue only occurred
List if aFleX is running CLASS:match. This issue occurs infre-
quently, and only seems to happen when the control
plane is deleting (freeing) the string and aFlex (on the
data plane side) is querying the same string entry at the
same time.
461476 SLB-NAT Major SNAT-on-VIP did not work for the command "ip nat 4.1.4-P2
range-list".
page 173
FeedbackF
Fee
e

A10
457621 SLB-L4 Major The "ve-stats enable" command does not work properly. 4.1.4-P1
When the option "use-recv-hop" is used on the virtual port,
the ACOS device does not count the ve-stats packets cor-
rectly for reverse traffic on the ve interface. Without this
"use-recv-hop" option enabled, the packet counter looks
correct.
453239 SLB-NAT Major The user found that while config nat pool-group instead 4.1.1-P5
of nat pool, clientip-sticky-nat did not work.
453211 VRRP Major The user found that there was an incorrect sync status 4.1.1-P8
and the configuration sync details did not get displayed
when the resource-usage commands were present in the
configuration.
452995 SSL Minor The user found that the ACOS did not send the message 2.7.2-P10
Close Notify and instead sent a message FIN/ACK with
1s delay when the half-open-idle-timeout was enabled.
450017 SSL Major When using CRL to check the client certificate, a system 4.1.4-P2
crash occurred when there was an existing SSL session.
446749 SLB-Config Major The standby ACOS device in a VRRP-A pair shows the 2.7.2-P12
status of a virtual server as “unknown”.
445981 L2/L3 Critical Errored packets(giants/runts) caused the internal mem- 2.8.2-P6-
Broadcom/ ory recovery conditions which caused the ASIC software SP4
Marvell reload.
444229 WAF Critical "Web Application Firewall does not support HTTP 4.1.1-P8
""PATCH"" method. Use Layer-3 virtual partition to sepa-
rate traffic using the PATCH option to another virtual
server without WAF template."
441538 SLB-DSR Critical “Under certain circumstance, in L2 DSR deployment, 4.1.1-P6
ACOS did not send any health check to the real server. As
a workaround, enable health check again.”
441100 ACL Major The 'Rule already configured for this ACL' message may 4.1.1-P6
display incorrectly when permitting a subnet that con-
tains a smaller subnet for which a deny rule already
exists. Workaround: define subnets in the object-groups
and see the object-groups in the ACL statements.
439762 SLB-Config Major The server port max conn-limit change from 8M to 64M. 4.1.1-P8
436378 SLB-L4 Major The existing connection client source port matching a 4.1.4-
newly created service port is resulting in client packet
drop.
435514 VRRP Major Received IPv6 VRRP-A packets were treated as "missed" 4.1.4-P1
packets.
424598 SSLi Critical Memory leak resulted from large traffic in single-ACOS 4.1.4
dynamic SSLi scenario.
414913 SLB-Config Major Virtual Server and Virtual Port updates were not in sync. 2.7.2-P9
This led to a situation where, when vserver and vport
were disabled and the device dropped to standby mode,
the vport would stay disabled even after box returns to
active mode.
407713 SSLi Major The number of cached certificates statistics did not 4.1.0-P9
appear in "showtech".
page 174
Feedback

A10
403180 HW Major On the TH940 and TH3040 models, the output of the 4.1.1-P5
show log command displays a non-existent fan failure.
400927 System - Major ACOS does not reset the interface after 3 unsuccessful 4.1.0-P9
platform attempts.
395242 VRRP Major A VRRP-A interface does not work properly when "both" 4.1.0-P9
(router and server) and "vlan" are configured for the inter-
face.
370636 SLB-Persist Major The ACOS device reloaded if there was an IPv6 VIP con- 4.1.1-P8
figured with SSL-ID persistence, and if the existing ssl-
session-id session matching was not proper.


A10
477001 Explicit Major When pointing the Client proxy setting to Explicit Proxy 4.1.4-P3
Proxy while ACOS configures SSLi EP chain, ACOS unexpect-
edly reloads when Client sends non-HTTP SSL traffic.
One example is joining Zoom meetings.
476596 Web - ADC Critical When the browser is in a dfferent timezone as the Thun- 4.1.1-P9
CGN der device, the time of chart may display incorrectly.
476540 Firewall Major FW session age was not correct when "tcp half-open-idle- 4.1.1-P10
timeout" is configured. This option no longer affects fire-
wall established session.
476152 WAF Major Memory was corrupted or device crashed with corrupted 4.1.0-P8
stack trace when remove-comments or remove-selfref is
enabled (url-options) and and arguments are sent with
self-ref or comments that cross over argument parsing.
476079 SLB-TCS Major No TCS session was created for wildcard VIP with ACL, 4.1.4-P2
resulting in an unable to establish TCP session condition.
475999 L2/L3 Critical Adding interface as a member of LACP trunk results in 4.1.1-P6
"show log" command displaying a "[L3]:LACP: Parse error
for message NSM LACP Aggregator Config" message;
interface remained in BLK state. Issue was incorrect
removal of tagged interface from an L3V partition.
475939 TCPIP Major ACOS Server-side TCP handshake advertises lower initial 4.1.1-P8
window size when initial-window-size parameter is con-
figured under tcp-proxy template. This causes delay in
response from the application for users.
page 175
FeedbackF
Fee
e

A10
475690 System - Major "A file (a10scm_bitmap.dat) appears in /tmp folder on 4.1.4-GR1
platform ACOS running for long time, more than around 40 days
creating variable log messages without any operations.
The periodic systemd-tmpfiles-clean program was delet-
ing the /tmp/a10scm_bitmap.dat file.
After an ACOS reload this file was not recreated, making

the message appear repeatedly. The systemd-tmpfiles-
cleaner timer configured to run once every 24 hours
cleans up unused files in /tmp for more than 10 days.
Some a10scmd files and license bitmap file were getting
cleared. Once the file was deleted, the error message,
""Cannot open file /tmp/a10scm_bitmap.dat"" was dis-
played in the logs. This also affected other files or folders
with root ""write"" permission under /tmp directory."
474820 System - Major When multiple CPUs running simultaneously attempt to 4.1.0-P11
platform send system packets, a process reset occurs.
474633 AAM Major AAM authentication fails when using a service group. 4.1.1-P5
This occurs because a different server is used after the
initial request, but the second server cannot recognize
the value for the state attribute.
472348 System - Major Import-periodic process (scp and sftp) does not support 4.1.4-P3
manage- <:port> parameter in the URL. This requires use of the
ment default port. The import process does support the param-
eter.
471694 System - Major The system-reset command must not reset the multi-ctrl- 4.1.1-P10
platform cpu setting. However, the default multi-ctrl-cpu 2 setting
on high-end Thunder models incorrectly reverts to multi-
ctrl-cpu 1 by system-reset.
471613 SLB-FIX Major Current SSL connections count does not decrement cor- 4.1.1-P8
rectly in some cases; in these cases, the counter
increases correctly.
471535 SLB-L4 Major THE actual UDP session timeout behavior differs from 4.1.4-P2
the behavior described in the is different from the CLI ref-
erence document.
470896 Web Cate- Enhance The system-reset command does not remove the license 4.1.4-P3
gory - URL ment of the web-category.
Filtering
470413 Harmony- Critical Thunder experienced memory leak when it cannot reach 4.1.4-GR1
Controller- the host address configured in the Harmony Controller
Integ profile.
470407 VRRP Major when removing or adding-back the inline-mode configu- 4.1.1-P8
ration, while the VRRP-a active - standby is running nor-
mally, the set-back of inline mode does not update the
flag correctly in internal logic, so the box does not run in
correct standby inline mode status.
470080 System - Major On Version 4.1.1-P6-SP1, (build 21) a physical interface 4.1.1-P6-
platform flap issue caused an LACP member flap. SP1
469858 Explicit Major Snat-on-vip does not work when a) L3 NAT is configured 4.1.4-P2
Proxy as Static NAT, and b) Explicit Proxy.
page 176
Feedback

A10
469576 SLB-Config Major Renaming a virtual-server ("rename" command, global 4.1.1-P8
config level) in a private partition that contains more than
64 virtual-servers generates a "virtual-server does not
exist" error. Statistics for the virtual-server also disap-
pear. Rebooting the device restores the renamed VIP.
469417 Web - ADC Major Class lists generated through CLI are stored in configura- 4.1.4-P2
CGN tion mode. The import command or GUI import (local or
remote) must not be able to write over these ACLs.
469156 Harmony- Critical A device may experience a system reset when it receives 4.1.1-P8
Controller- an HTTP request with random characters in the user-
Integ agent field while it is registered to harmony controller.
468538 Platform Major axAppGlobalBufferCurrentUsage does not work for non- 4.1.4-P2
FTA models that run DPDK mode.
468529 SLB-L4 Major The "clear slb virtual-server" command that specifies a 4.1.1-P6
specific virtual server improperly clears stats from all vir-
tual-servers.
468505 Visibility & Major Harmony controller status and statistics are missing in 4.1.1-P8
Analytics the periodic showtech. "Showtech" must include "show
harmony-controller status" output to facilitate verifying
actual registration status instead of relying on running-
config.
468403 SLB-Config Major Editing a "no url-switching regex-match" command within 4.1.4-GR1-
an HTTP slb template causes a system crash under cer- P1
tain conditions.
468330 CGN-NAT64 Critical Under certain conditions, Thunder 6430 configured for as 4.1.1-P6-
CGN reboots itself after a crash. SP1
468325 aFleX Major ""TCP::payload replace"" may not work correctly when 4.1.0-P11
data is piggybacked with ACK during client three-ways
handshakes. See description section for the aFleX script."
468061 aXAPI v3 Major GUI reports an unexpected "Field value does not match 4.1.1-P8
(field: host-switching-type)" error message when updat-
ing an HTTP template.
467950 ConfigMgr Major Invalid AXAPI body caused the configuration manager to 4.1.1-P8
crash.
467929 System - Major Version 411-P8 uses old style rimacli-based "show" com- 4.1.1-P8-
manage- mand, resulting in different backend support for axAPI SP3
ment and CLI.
467827 WAF Critical If WAF was enabled, the ACOS device reloaded upon 4.1.1-P8
receiving a client's invalid chunked request with 100-Con-
tinue.
467515 GiFW Infra Critical Firewall log messages contain invalid notation of IPv6 4.1.1-P5-
address. SP2
466714 SSLi Major After replacing the client SSL-template which is bound to 4.1.1-P8-
the virtual server ports, running the command, config- SP2
sync, and after a failover scenario, the active device does
not bypass SSL traffic identified in the forward-proxy-
bypass class-list.
page 177
FeedbackF
Fee
e

A10
466213 aXAPI v3 Critical Any aFleX script in the GUI list cannot be edited after 4.1.1-P9
upgrading from 4.1.1-Px to 4.1.1-P9. The GUI allows the
addition of new aFleX scripts, but while attempting to edit
the aFleX script, the GUI gives an error. Even the pre-
loaded aFleX scripts, such as client logging, cannot be
edited. However, using the CLI command "show aflex xx"
works fine.
465870 Explicit Critical In Explicit Proxy deployments, the SSLi module reloaded 4.1.1-P10
Proxy while updating the class-list.
465490 aFleX Major The Block-replace API call is failing and producing the fol- 4.1.1-P9
lowing error: "Service group is currently used. Please
remove binding and try again."
464941 ConfigMgr Major An issue created a bad state object-group when a new 4.1.1-P8-
object-group is created with an existing object-group SP2
name on the Standby unit, and the manual configuration
synchronization is performed. The ACL entry associated
with the bad state object-group does not work and can-
not be removed through CLI or GUI.
464836 System - Critical When a request matches, and if the action was config- 4.1.4-P2
platform ured to 'drop' the request, then it was dropped as
expected. However, some flags were not correctly reset,
and this caused the request to "have a change to make
explicit proxy reload."
464764 SLB-TCS Major In the TCS configuration, if the server response is IP frag- 2.7.2-P8
ment, the Ping-Pong issue occurs between the Thunder
device and the cache server.
464740 System - Major Template logic had an error. This was manifested by a 4.1.4-P2
platform link-disable command that did not disable all linked 100G
interfaces when one interface became disabled. The
logic was corrected.
464629 SLB-FTP- Major When using FEAT command, the device expects a suc- 4.1.4-P3
Proxy cess response from the server and, upon receipt,
changes the state from server_response to client_re-
quest. In a specific configuration, FTP server responds to
a FEAT command with an 500 Error, resulting in the state
machine never changing from the server_response state.
464518 SLB-Config Major When the most recently added rport under an rserver was 4.1.4-P2
not bound to a service group, the a "graceful-shutdown
after-disable" did not function properly after disabling
rserver.
464354 Web - ADC Critical Dashboard displayed memory usage decrease to 0. 4.1.1-P8-
CGN SP1
464093 SLB-Config Critical Policy based port that is disabled can be internally con- 4.1.1-P8
sidered incorrectly to be up. The trigger for appears to the
policy based disable commands, including disable-when-
any-port-down or disable-when-all-port-down.
463772 FW-CGN- Critical FTP Active mode does not work in L2 bridge mode. FTP 4.1.1-P6-
ALG-FTP ALG edited the outgoing PORT packet with the NAT pool SP1
IP address and port but the SYN from the FTP server was
dropped.
page 178
Feedback

A10
463192 SSLi Major ACOS device stopped functioning due to Page Table Cor- 4.1.0-P11
ruption on the outside SSLi Device and ATP setup running
with a domain controller, when decryption-encryption
was enabled.
462721 Chassis Major The "show interface" command suddenly displays wrong 4.1.2-P4
Platform bytes counter on ACOS device for both input/output
bytes counters.
462293 Web - ADC Major "When VRRP is configured from GUI without a device ID, 4.1.4-P3
CGN VRRP is not enabled. When device ID is entered, VRRP is
still non-functional until VRRP-A is disabled then enabled.
Workaround: To resolve this, an error message "Please

configure VRRP-A device ID first before enabling VRRP-
A." is added.
461587 System - Major OpenSSH (through 7.7) is prone to user enumeration vul- 2.0.0
manage- nerability due to not delaying bailout for an invalid authen-
ment ticating user until the packet containing the request is
fully parsed.
461440 CGN-NAT Major a10snmpd memory increased on a CGN configuration. 4.1.4-P2
Pool
460658 SNMP Major SNMP cannot be counted after the a10lb process 4.1.1-P9
restarts subsequent to killing the process. While a10lb
restarts, all processes must restart; however, a10sn-
mp_trapd did not restart, which inhibits the ability for pro-
cesses ot sync on shared memory.
460519 Logging Major Whenever there was a failed login, the ACOS did not send 4.1.1-P8
Infrastru- log IP address of the remote host, for the GUI usage.
ture Instead, it sent a brief one line of log message without the
source IP, from which the host was from.
460018 WAF Major When the WAF is in passive or learning mode, an ACOS 4.1.1-P8
crash can occur if the WAF successfully parses XML
related checks.
457174 SLB-L4 Minor Aging short does not work correctly when idle-timeout is 4.1.1-P5
less than 31 seconds and re-select-if-server-down is con-
figured.
457108 SLB-Policy Major PBSLB class-list configured for vport 53 does not work. 4.1.4-P1
456791 SLB-Config Critical Configured virtual server was unexpectedly duplicated 4.1.1-P9
with the name of an existing virtual server.
456086 SLB-NAT Major Auto-NAT does not select the correct floating IP address 4.1.4-P2
under specific configurations.
452917 SSL Critical ACOS may reload while processing heavy SSL traffic due 4.1.0-P9
to invalid memory access. This issue is more prevalent
on systems with 8GB memory or less.
452395 SLB-HTTP Major ACOS was crashing when it tried to parse bad or invalid 2.7.2-P11
Set-Cookie headers sent by the server.
452140 SLB-Config Enhance The user found that the Traffic-replication did not work 4.1.1-P8
ment when the pool was selected with aFlex.
451804 WAF Critical ACOS system sometimes rebooted if you enabled the 4.1.1-P5
WAF "form-set-no-cache" option in learning mode.
page 179
FeedbackF
Fee
e

A10
445240 SLB-HTTP- Minor We use a new character set that complies with rfc 6265. 2.7.2-P11-
Cookie Cookies from clients with the old character are accepted. SP6
While persist works, a new set cookie is sent and "no
insert-always" is required for this.
445001 Explicit Critical a10lb crash caused by long host name, which caused the 4.1.4-P2
Proxy variable "i" to exceed MAX_LOG_BUFFER_SIZE. This
resulted in memory corruption.
442579 SLB-L4 Critical In the CPU load-sharing scenario, the L3 traffic is not 2.7.2-P10
being processed by the non-home CPU when the home
CPU experiences high CPU usage.
441253 TCPIP Major In an inter-partition route where the VIP in the L3V parti- 2.7.2
tion was accessing the server in a shared partition, the re-
transmitted SYN flags sent to the server were inconsis-
tent. The first re-transmission went out of the shared
(eth3) partition as expected, but the rest of the re-trans-
mission followed the L3V default route (eth2).
440329 Health-Mon- Major In a certain condition, a SSL health monitor failed when it 2.7.2-P11
itor-L7 received a NewSessionTicket handshake message.
439457 ConfigMgr Major On GUI, when a member is added for the first time with 4.1.1-P8
priority or template under service-group, the priority or
template does not work even after refresh.
437239 Explicit Major Version 4.1.1-P10 includes a patch that, when applied, 4.1.4
Proxy assures that the Thunder device does not send a request
with user credentials in proxy-chaining bypass cases.
437092 System - Major Port mirroring and monitoring functionality will not work 4.1.1-P6
platform properly for ports which are members of the trunk group.
434257 AXDebug Major Certain flow may be saved and display even when it did 4.1.0-P9-
not match the AXDebug filter. This happens on TCP proxy SP3
based applications involving multiple flows.
431695 System - Critical The a10lb process was getting stopped whenever the 4.1.1-P8
platform a10stat process was waiting or busy.
427159 SSL Minor In SSLi deployments, the ACOS device occasionally does 4.1.1-P5
not close the TCP connection when ACOS fails to verify a
server certificate by server-ssl template with ca-cert.
425884 SSL Major Openssl incorrectly used pointer arithmetic for heap-buf- 4.1.4
fer boundary checks, which can allow remote attackers
to cause a denial of service (integer overflow and applica-
tion crash) or have unspecified other impact by leverag-
ing unexpected malloc behavior.
422764 System - Major After reload a10lb mutliple times sshd process 4.1.1-P7
manage- attempted to running when sshd.pid file was not avail-
ment able, which resulted in sshd errors.
420737 SLB-L4 Major Short aging did not work in UDP port. Aging short means 4.1.4
that when the response is received the session needs to
be deleted.
420490 SLB-FTP- Major ACOS incorrectly starts the server side connection at the 2.7.2-P11
Proxy moment when the client side connection is established.
For slow clients, this can require more ACOS resources
page 180
Feedback

A10
417946 SLB-Config Major Device crashed on htx_poll. Symptom is that system may 4.1.1-P5
crash with backtrace as reported, triggered by heavy lnx
traffic transmission.
407953 SSL Major The SSL cps counter on the ADC dashboard displayed 4.1.1-P3
the value for only server-side SSL connections.
392011 SLB-L4 Major "When the access-list is configured on VE interface, CPU- 2.7.2-P11
LS is not working properly. This issue is seen, only when
cpu-rr is enabled, ICMP traffic is not routed by non-home
CPUs, and there is an incident of (permit) ACL applied
under interface.
It results in TCP/UDP packets getting forwarded and cre-

ating ACL sessions as expected."
389800 SLB-L4 Major ACOS did not adjust the sequential acknowledge num- 2.7.2-P8
bers in the SACK option when the SSL-SID template was
used under the TCP virtual port. When the TCP virtual
port was used with SSL-SID persist template, the ACOS
device functioned as a TCP proxy, an error occurred
when the client sent a TCP packet with SLE and SRE
options to the server.
387457 SLB-L4 Major The traffic was not load balanced when min-active-mem- 2.7.2-P9
ber 1 was configured.
340028 System - Major The GUI did not display aFleX script content properly 4.1.1
manage- when an aFleX script with a space in the name is updated
ment in the CLI.
228013 SLB-HTTP Major Virtual servers improperly send SYN to a server on port 2.7.1-P4
65335 when the VIP is configured with 1) port 80 (HTTP)
and 2) a service group that includes port 0.
page 181
FeedbackF
Fee
e


A10
463180 SLB-Config Major In prior releases, the VIPs and static NAT could not 4.1.1-P9
have the same IP address, but now they can.
456283 ACOS Major Our CLI guide source-nat auto section says that float- 4.1.1-P1
ing-ip is required for session sync.
But only floating-ip is required if virtual-port configura-

tion is not configured as a target of session sync.
The word “for session synchronization” is removed

and replaced with following description “A floating IP
addresses which can be reached from real servers is
required”.
460090 VRRP Major When using the CLI command, config sync all-parti- 4.1.4-P1
tions, a high CPU condition can occur if there are
many axdebug pcap files stored in an L3V partition.
459981 SSLi Critical If the transmit-buffer is configured in an HTTPS virtual 4.1.4-P2
port, some packets may be queued and some were
not forwarded. This could cause content past a cer-
tain size to become truncated.
458710 aFleX Major Packet and byte counts by aflex IP::stats command 4.1.1-P8
are not correct.
458569 System - Major The latest CVE fixes CVE-2018-5391m: 3.2.2 -P6
platform FragmentSmack.
457402 System - Major Some Ethernet interfaces were unable to send out 4.1.1-P8
platform packets when the control plane traffic has a mixture
of "og" jumbo and non-jumbo traffic.
457399 System - Major The latest CVE fixes CVE-2018-5390 fix for 3.19 ker- 3.2.2
platform nel.
457243 SLB-DNS Major Malformed DNS packets with incorrect data length in 4.1.0-P5
the rdata section of DNS OPT header causes high
CPU usage or CLI to hang.
457234 VRRP-A Major When VRRP-A configuration synchronization is 4.1.4-P2
changed from active to standby, the 'smtp mailfrom
<email-id>" and 'lldp system-name <name>' com-
mands are overwritten.
457090 aFleX Major When the selected server fails, the persist uie session 4.1.4-P1
was not synchronized with the standby session as
expected.
456559 System - Major In this patch, when backup system is restored via 4.1.1-P8
manage- interface management, the ip control-apps-use-
ment mgmt-port of mgmt. port disappears.
page 182
Feedback

A10
456376 Explicit Major The Thunder device reloads when destination class- 4.1.4-P1
Proxy list is configured in policy template and "OPEN" com-
mand is executed with a hostname.
The cause of this reload is that EP does not handle

FTP "OPEN" command correctly, so an invalid host-
name is used.
Solution: Use "SITE" command instead of "OPEN"

command to avoid the reload.
455950 Firewall Critical A patch fixes the following multicast/broadcast SMP 4.1.1-P8
match problem: Configuring dest zone may result in
an SMP match problem for multicast and broadcast
traffic. When a permit rule for multicast/broadcast is
configured, packets fail to match SMP but match the
rule and FW creates another SMP (with the same IP
addresses and ports) for it. Because these duplicated
SMPs use the same ports-IP addresses, they are in
the same hash. This results in long traverse times for
the list and causes unexpected behavior.
454699 RBA Major RBA user who did not have permission to access the 4.1.4-P1
showtech file was able to export the complete show-
tech file through the ACOS GUI.
454394 ConfigMgr Critical In the HA environment, if the configuration synchroni- 4.1.1-P8
zation is performed periodically using the external
health monitor, the configuration on the Standby
device was cleared.
Note: Do not perform config sync frequently.

454339 SLB-ICAP Critical When sending a GET request via http-proxy tunnel and 4.1.4-P2
using Telnet, this caused the ACOS device to reload.
453919 VRRP Major The ARP request was dropped when the Standby 4.1.1-P5
device rebooted and the VRRP-A was in the initializa-
tion (init) state.
453655 AAM Major In the Form-based Relay, if the user password con- 4.1.1-P8
tains the percentage (%) character followed by 2 dig-
its, the back-end application server authentication will
fail.
453357 AAM Enhance When NTLM was configured, uploading large files to 4.1.1-P9
ment SharePoint 2016 was failing.
page 183
FeedbackF
Fee
e

A10
453100 L2/L3 Major The following issue was noted: 4.1.1-P9
- The LLDP Port value did not have space, like an Inter-
face name.
- The LLDP packet and in the PCAP, in which the port-

id was interacting, had no space.
- The port-id in LLDP packet with sub-type interface

name did not have whitespace in between interface
name and number.
- As in the description, the port-id did not start with

uppercase letters.
This was apparently causing an issue for the valida-

tion from the vendor when the user tried to deploy
ACOS.
452815 SSL Major ACOS does not free up the memory blocks used for 4.1.1-P8
parsing HTTP responses 2xx coming from an ICAP
server. This could cause memory exhaustion while
processing ICAP traffic over time.
452158 aFleX Major The user found that aFleX memory leak was seen with 4.1.0-P11
CLI deploy block-replace. It was found while running
the aXAPI calls with block-replace and a memory leak
in the aFleX 256 and 1024 blocks.
452143 ConfigMgr Major The user found that aFleX stack trace was seen with 4.1.0-P11
CLI deploy block-replace. It was found while running
the aXAPI calls with block-replace and aFleX stack
trace generated. The user was required to recreate the
same and run the aXAPI calls in a while and loop for a
few minutes to see the stack traces.
452080 VCS Critical The user found that there was a key parse error on the 4.1.0-P11
vBlade when the vMaster imported a key with the spe-
cial character through the GUI. It was noticed while
importing a key with the special character through the
GUI process, there was a parse error which occurred
on the vBlade. This issue happened only through the
GUI process and the CLI mode was working fine. The
users are advised to use the CLI method to import the
certificate/key for the optimum result.
452014 SLB-SQL Major The MySQL virtual port and a long username of over 2.7.2-P13
32 characters caused unexpected software restart.
Configuring a long username (exceeding 32 charac-
ters) on MySQL virtual port caused buffer state
change reload after the login was rejected, when the
buffer was freed.
451957 Explicit Major When configured as an Explicit Proxy, the ACOS sys- 4.1.1-P8
Proxy tem reloaded upon deleting the AC entry in a class-list
while a request hit the forward-proxy rule.
page 184
Feedback

A10
451890 System - Critical The Thunder 3230S system could not forward bridge 4.1.1-P8
platform protocol data units (BPDU) when the spanning tree
mode was Per-VLAN Spanning Tree (PVST) on a peer
Cisco switch. When ACOS received the BPDU packets,
it dropped them at HW forwarder level incorrectly.
451807 SLB-L4 Major An incorrect VRRP-A MAC address from the shared 4.1.1-P8
partition was used to route traffic in the partition.
451675 SNMP Major There was an inconsistency between the SNMP gen- 4.1.1-P8
erated MIB and the implementation. The implementa-
tion was changed to be consistent with SNMP MIB by
using Counter64 instead of Integer.
451441 SSLi Major ACOS reloaded when using the clear session com- 4.1.1-P8
mand while running HTTPS + ICAP traffic sessions.
The issue was timing-related, so it happened intermit-
tently. The issue happened more frequently with a
large number of concurrent sessions.
451219 GiFW Major For ICMP sessions, the reverse route back to the cli- 4.1.1-P5-SP2
ent might not be updated dynamically even if there
was a route change. The packets were forwarded out
to the old route for the same session. For TCP/UDP,
the route was updated correctly for existing sessions.
449974 SSL Major The latest CVE fixes [414 PSIRT Case] CVE-2018- 2.7.2-P13
0732: openssl: Malicious server can send large prime
to client during DH(E) TLS handshake causing the cli-
ent to hang.
449757 Web-TPS Critical The latest CVE fixes [CVE] A10-2018-0022: gui: HSTS 3.2.2 -P6
missing in redirect from “GET /”.
448798 SSL Critical Periodic import of CRL was failing if the CRL being 4.1.1-P8
imported was not in PEM format. With this fix, if the
CRL being imported is in DER format, ACOS will con-
vert it to PEM format during import.
Note: If the import occurs when the device has high

rates of traffic, the import process will demand signifi-
cant computing resources, causing the CPU usage to
spike to high levels.
448795 SLB-ICAP Major Editing an ICAP template bound to one VIP causes 4.1.1-P8
traffic failure on another VIP that is pointing to the
same ICAP server (even when different ICAP tem-
plates are used).
447844 CGN-HTTP Major As part of HTTP logging, the ACOS device allocates 4.1.1-P5-SP2
Logging several buffers for each request to cache the various
headers. The buffers are later freed up. However, this
process of allocating memory and then later freeing it
seems to be causing memory fragmentation. This
causes the memory allocator to take longer to do its
job and eventually causes the HRX queue to overflow.
447783 SSL Critical Using Secure ICAP can cause memory leak of SSL 4.1.1-P8
blocks. Workaround is to use ICAP without SSL.
447223 SLB-RAM- Major Configuring a policy local-uri may generate a “local 4.1.1-P6
Cache cache entry can't be created” error.
page 185
FeedbackF
Fee
e

A10
447127 SNMP Major Under certain configurations, terminating the 10lb 4.1.1-P9
process may initiate multiple a10snmpd which
causes SNMP traps to stop working.
446974 SLB-FTP- Major Session hanging state is caused by not immediately 4.1.4-P1
Proxy passing the FIN-ACK to the client side when the
server-side is active-close on a ftp-proxy virtual port.
445723 SLB-Config Major ACOS might reload if destination rules are configured 4.1.4-P1
with both AC and IP class-list for the same target
(host/url/ip) and periodic import is performed for
class-list bound to a destination rule. When a class-list
is imported, ACOS compiles all class-list into an inter-
nal class-list in background based on target and
class-list type. However, there's a defect that incom-
patible type of class-list would be compiled such as
compiling AC class-list into internal IP class-list.
445618 SSL Critical The “show slb ssl error” command output includes 4.1.1-P8
duplicated counter information.
444340 SSL Major The latest CVE fixes CVE-2018-0739 openssl: Han- 2.7.2-P13
dling of crafted recursive ASN.1 structures can cause
a stack overflow and resulting denial of service.
444091 Explicit Critical Explicit Proxy TP-Chain stopped functioning when 4.1.1-P8
Proxy SOCK5 traffic was received. When traffic passed
through explicit proxy virtual IP with SOCK5 traffic and
with “non-http-bypass” option enabled.
443965 SLB-DNS Major The device reloaded when the control CPU deleted a 4.1.1-P5
DNS record while the data CPU was searching the
DNS record (searching the same linker list).
443452 SSL Major In Dynamic-Port SSLi deployments, non-ssl traffic was 4.1.0-P11
processed as L4 if non-ssl-bypass feature is config-
ured. This change was introduced in 4.1.1-P8 to opti-
mize performance. This, however, affected
processing of certain protocol traffic such as FTP,
SMTP where server initiates first data packet.
In this release, the behavior is reverted to that of 4.1.1-

P7 or earlier releases, and by default, all traffic is now
processed as L7. Also, a new config option is added
under client-ssl template to help user enable optimiza-
tion and process non-ssl traffic as L4.
Configuration:
non-ssl-bypass service-group <sg_name> [bypass-
proxy]
~ With the bypass-proxy configured under Dynamic
Port Intercept, non-SSL sessions will be processed as
L4 traffic.
~ Without the bypass-proxy option configured
(default), the behavior will be same as that of 4.1.1-P7,
where the traffic is being processed as L7 traffic.
443331 Explicit Major Sending a normal request when “use-rcv-hop-for-resp” 4.1.4-P2
Proxy is configured can result in an explicit proxy storm loop
that generates 300k sessions.
page 186
Feedback

A10
443221 Router Major Processing long 4-byte as-path generated an overrun 2.7.2-P7-SP4
issue that caused BGP to reload.
443123 System - Major ICMP error messages was suppressed on Non FPGA 4.1.4-P2
platform platforms on packets with TTL equal to 0
442615 Explicit Major When two Thunder 3040(S) were deployed in the 4.1.1-P6
Proxy VRRP-A high availability environment, load balancing
stopped working on both the devices during Explicit
Proxy loop.
442531 ACL Major L2 forwarding was not working as expected when ACL 4.1.1-P8
session match happens.
442528 Web - ADC Major When URL switching entries are edited in the HTTP 4.1.1-P6
CGN template through ACOS web interface, the “Please
enter a valid URL” error message is displayed.
442525 SSLi Major High control CPU utilization while processing SSL traf- 4.1.1-P8
fic and checking the forward-proxy certificate
counter on AppCentric Templates SSLi Dashboard

may cause system to stop processing data-plane traf-
fic and management plane (GUI, SSH and Console) to
become unresponsive.
441805 DDoS detec- Major In an SLB configuration with a NAT pool, selective fil- 4.1.1-P8
tion tering for CGN was enabled by default.
441574 SSL Major If a DNS query was sent over TLS and the vport was 4.1.4-P2
DNS-TCP, ACOS restarted.
441328 VRRP Major The standby device in a VRRP-A configuration dis- 4.1.1-P6
played parsing errors such as “Parse error when exe-
cuting command: pki ssl-update certificate”, when the
active device ran the “configure sync running all-parti-
tions auto-authentication” command.
441262 HA Major If you ran the “configure sync” command on ACOS 4.x 4.1.1-P2
systems or the “ha sync” command on ACOS 2.7.x
systems, some unexpected files were generated in
the hard disk and after running the sync many times,
the process slowed down due to these files. The con-
trol CPU also spiked up during the period of the sync.
441079 SLB-Diame- Major In SLB configuration, on the active device, there was a 2.7.2-P11
ter mismatch in output for the “Concurrent user-session”
counter under the “show session diameter” command
and the output for the “show slb diameter” command.
440992 SLB-Config Major The idle-timeout did not work as expected if the reset- 4.1.1-P8
rev option was configured for the TCP proxy.
440941 System - Major Specific UDP and TCP ports remained open in ACOS, 4.1.4-P2
platform although the ports were not assigned any function.
page 187
FeedbackF
Fee
e

A10
440929 TCPIP Major When evaluating ACOS version 4.1.1-P6 in the same 4.1.1-P8
SSLi topology as ACOS version 2.7.2-Px, the most
recent ACOS version encountered significant drops in
throughput. When running Layer-7 packet statistics, a
large number of out of order packets were seen. The
issue was persistent across TCP-proxy, HTTP, and
HTTPS virtual ports.
440923 SLB-NAT Major After upgrading from ACOS version 4.1.1-P6 to 4.1.1- 4.1.1-P8
P8, when performing static NAT in SLB for ALG traffic,
there was an error obtaining an address or port num-
ber from the NAT pool. ACOS then restarted.
440743 SSL Major When an invalid TLS handshake was received, ACOS 4.1.1-P8
responded with a blank SSL record instead of a
close_notify message.
440140 SNMP Major The SNMP trap (axPartitionResourceUsageWarning) 4.1.1-P8
is not sent to the SNMP host when the L3V partition
exceeds the threshold.
439846 System - Major The latest CVE fixes CVE-2017-18017 kernel bug at 3.2.2
platform tcpmss_mangle_packet.The tcpmss_mangle_packet
function in net/netfilter/xt_TCPMSS.c in the Linux ker-
nel before 4.11, and 4.9.x before 4.9.36, this allows
remote attackers to cause a denial of service (use-
after-free and memory corruption) or possibly have
unspecified other impact by leveraging the presence
of xt_TCPMSS in an IP tables action.
439396 Web - ADC Major On the GUI, under ADC, the “Forward-Policy” tab under 4.1.1-P6
CGN "Security" is hidden in the absence of CFW license.
438130 SLB-HTTP Critical In SLB deployments, a session leak exists when both 2.7.2-P12
"ignore-tcp-msl" and "req-hdr-wait-time" are config-
ured.
438095 Web - ADC Major User was unable to save private partition configura- 4.1.0-P11
CGN tion changes into the startup-config through the GUI.
When PartitionWrite users executed "write memory" in
private partition, success message was displayed
without saving the configuration in startup-config.
437461 Explicit Major Explicit Proxy(EP) sometimes takes around 100-1000 4.1.1-P7
Proxy msec to send a DNS query after receiving an HTTP
request from the client. This issue happened if the
request rate was very low and there was no DNS
cache.
437254 aFleX Major If a global array was used under RULE_INIT and the 2.7.2-P11
number of elements reached the maximum number
allowed, then the script would abort even after remov-
ing the extra elements.
436978 Explicit Major When a client sent two HTTP requests in one TCP 4.1.1-P6
Proxy connection, EP selected the wrong dst port when the
first request is not 80 and second request is 80.
436907 GSLB Critical ACOS sometimes reloaded if an L3V partition was 4.1.4-P1
deleted which contained a dynamically-created GSLB
service-ip.
page 188
Feedback

A10
436636 SNMP Major The MIB text file failed to load into an SNMP manager 4.1.1-P6
(JP1 or NNMi) due to duplicated OID definitions. This
issue appears to be an SNMP browser issue and it
was not seen on every MIB browser.
436117 SLB-L4 Major The “clear sessions all” command was not working 4.1.1-P6
when the client was sending UDP packets from the
same IP address and port every 1 second.
433379 VRRP Critical In the Virtual Router Redundancy Protocol (VRRP) 2.7.2-P11
configuration of ACOS, if the "get-ready-time" is set
and the preempt-mode is set to disable, preemption is
happening before the "get_ready_time" countdown
timer completes.
431539 CGN-NAT44 Major The ACOS system could not process HTTP traffic that 4.1.1-P3-SP1
ran for over 30 minutes.This was due to the multiple
RADIUS requests received by ACOS.
430300 SSL Major The Thunder TH3040S device may drop packets 4.1.1
during SSL handshake. Such intermittent handshake
failures may occur on ECDHE ciphers. This behavior is
seen with simple client/server scenarios and hand-
shake failures may happen randomly and on an infre-
quent basis.
The client was sending TLS alerts against the TH-N5

server-hello:
tlsv1 alert decrypt error 22

424252 ConfigMgr Major The config manager process was restarting while 3.2.2-P2-SP1
reading NULL index data.
419932 L1-L4 Clas- Major A port remained down after replacing the copper SFP 4.1.1-P6
sification with SFP+ in the case of TH4440 devices. Similarly,
the issue also happened if the SFP+ was removed and
a copper SFP was inserted.
Note: The behavior of the LED in copper SFP has

changed from 4.1.4 build 208. Inserting a copper SFP
into the port of the TH4440 device (without a copper
cable) causes the LED to become green.
418084 Platform Major For copper SFP, all link-up ports went down when one 4.1.1-P6
data port was disabled on TH4440/5440/5840/6440/
7440s.
414832 SSL Major The latest CVE fixes CVE-2016-2182 openssl: Out-of- 2.7.2-P13
bounds write caused by unchecked errors in BN_bn2-
dec().
414823 SSL Major The latest CVE fixes CVE-2016-6302 openssl: Insuffi- 2.7.2-P13
cient TLS session ticket HMAC length checks.
406534 aXAPI v3 Major The 4.1.1 AXAPI incorrectly sends a "500 Internal 4.1.1-P2
Server Error" instead of a "404 'URI not found'" when
the API requests a file that does not exist.
page 189
FeedbackF
Fee
e

A10
401479 Explicit Major Explicit proxy did not forward packets properly when 2.7.2-P10
Proxy policy template option "forward-to-internet" was con-
figured and there was a medium or larger transfer of
packets.
399565 System- Major In earlier releases, ACOS used to debounce if the val- 4.1.3
Platform ues received were invalid. For example, a value of 0 or
-1 was used to indicate a failure to read or SMBUS
timeouts had occurred. This release adds debounce
to indicate if ACOS has received values that are valid
but might be above or below the acceptable threshold
limits.
399562 SLB-RAM- Major A missing space in the "200 OK" HTTP response 4.1.0-P5
Cache caused issues with opening a page on certain brows-
ers.
397870 System - Critical A TH3030S CGN-CPS test case indicated a 60% per- 4.1.3
platform formance degradation.
388144 Health-Mon- Major The unit of Response times in show slb service-group 2.7.2-P9
itor-L7 <sg-name> is consolidated to msec or usec.
375059 System - Major Output from the “show management” CLI command 4.1.1-P2
manage- did not display the correct states of the management
ment service after using the “enable-management” com-
mand with the “all-data-intf” key-word.
368761 SSLi Major ACOS device reloaded due to missing of checking for 4.1.0-P7
memory allocation failures.
355684 ACL Major When IPv6 ACL with object-group::/128 was config- 2.7.2-P9
ured using the command "object-group network ipv6-
0", it behaved like "::/0" traffic reached "::/128" instead
of explicit deny.
342955 System - Critical ACOS may allow multiple simultaneous upgrade 4.1.0-P5
platform requests from the API, CLI, and GUI.
202999 WAF Major When a request was sent from the client to match on 2.7.2-P10
the “b-list” the upper cases were not interpreted cor-
rectly.
page 190
Feedback


A10
437461 Explicit Critical There was a noticeable delay of 300-1000ms when 4.1.1-P6
Proxy HTTP Explicit Proxy was used to browse internet. The
DNS response was slow.
436279 SNMP Major SNMP object will not refresh during default timeout 2.7.2-P11
value.
435019 SSLi Major MMS traffic for virtual SLB server cannot pass 4.1.1-P8
through an ACOS device. The IP address in URL of
RTSP packet is not changed from SLB virtual IP to
server IP when ACOS sends it to server.
The traffic can not pass through, we can see that the
IP address in URL of RTSP packet is not changed
from slb vip (20.0.0.100) to server ip (20.0.0.10) when
it is forwarded to ACOS server.
435001 Web - ADC Major Auto-authenticate option for configure-sync is miss- 4.1.1-P8
CGN ing from Web user interface for VRRP.
434566 SNMP Major The remote default user configured is missing after 4.1.1-P6
SNMP upgrade using "snmp-server community read
pw-encrypted:’ command.
434481 Explicit Major When DNS entry expired suddenly, Ethernet port used 4.1.1-P5
Proxy to delete the back-end connection. Now the ethernet
port checks host name and port to avoid this sce-
nario.
434317 SLB-FTP- Major ACOS accepts standard “227 Entering Passive Mode” 4.1.1-P8
Proxy message or messages length >=27.
434299 L2/L3 Major The default configuration of “forward-ip-traffic” 4.1.2-P4
forwards only IP/IPv6 unicast traffic across all VLANs
in the “bridge vlan group”. It does not forward IP/IPv6
multicast traffic across all VLANs in the “bridge vlan-
group”.As a workaround, use the “forward all-traffic”
option.
433735 SSLi Major The memory usage after reload of ACOS devices and 4.1.1-P8
without traffic was high with maximum CPU usage
due to memory leak.
433687 SNMP Major In the auto-generated MIB file: "ACOS-FW-OPER- 4.1.1-P6
MIB.mib", some of the objects include additional
comma, which is preventing from loading the MIB file
to the NMS/Browser, etc.
433687 SNMP Major In the auto-generated MIB file: "ACOS-FW-OPER- 4.1.1-P6
MIB.mib", some of the objects include additional
comma, that are preventing the MIB file from loading
to the NMS/Browser, and so on.
page 191
FeedbackF
Fee
e

A10
433165 Web - ADC Major The GUI page for GSLB FQDN does not display any 4.1.1-P6
CGN entry if the large number of services are added under
the zone.
433144 aFleX Major Aflex script caused connection issues during virtual IP 4.1.0-P8
bonding process that performed HTTP logging caus-
ing the SLB server to stop functioning.
432958 ACL Major Unable to add a rule back into an ACL after deleting 4.1.1-P6
the rule, in certain instances.
432605 Explicit Critical Sometimes the explicit proxy configuration delivered 4.1.1-P6
Proxy requests to the incorrect port even when the ACOS
device chose the correct HTTPS service-group in the
server selection process.
432604 GSLB Major A DNS packet arriving on the same data CPU as a pre- 2.7.1-GR1
vious DNS query with the “dnsec” DO bit set in the OPT
header was incorrectly processed.
432532 SLB-Config Major If “min-active-member” was applied to a service group 4.1.0-P10
with at least one member, 484 memory block
allocation was increased.
432286 SLB-HTTP Major When HTTP pipeline traffic was passed through an 4.1.0-P10
SLB server with HTTP keep-alive disabled, the system
stopped functioning.
432250 SLB-HTTP Major The device fails due to RAM cache issues. 4.1.1-P6
432112 SSL Major When “Client authentication” was done through 4.1.1-P7
Mozilla Firefox browser, the Thunder device failed to
fetch the SSL record.
432065 AAM Critical When binding AAM aFleX to a virtual port, ACOS gives 4.1.1-P8
an error "Not enough memory.. Line 0:"
431855 VRRP Major When attempting to remove all VRRP-A tracking 4.1.1-P8
options and reconfiguring priorities, ACOS errone-
ously continues to show VRRP-A priority is reduced to
1, due to tracking options.
431692 TCP/IP Major ACOS stopped when it was processing high amounts 4.1.0-P10
of SSL traffic.
431436 SLB-Config Major The syn cookie had an on-threshold value of 0 and an 4.1.1-P6
off-threshold value of 0. Instead, the range starts from
the minimum value of 1.
431398 NAT-CGN Major In rare conditions, the ACOS device configured for 4.1.1-P2
CGN may experience a system reset when processing
packets with TTL of 0.
431203 GSLB Major After upgrading to 4.1.1-P6, configuring the "no health- 4.1.1-P6
check" option may yield inconsistent results.
431197 SLB- Major As the default round robin-method is optimized for 4.1.0-P9-SP3
Conn-reuse high performance, over time, this optimization can
result in an imbalance in server selection when tem-
plate connection-reuse is also configured.
431149 Explicit Major HTTP header was not working when there was proxy 4.1.4
Proxy chaining of explicit proxy with SSLi and when requests
were SSLi bypassed HTTPS (CONNECT).
page 192
Feedback

A10
430933 SSLi Major When there is heavy SSLi traffic, ACOS fails and 4.1.1-P8
requires a reload.
430909 SNMP Major A segmentation fault was generated by “a10sn- 4.1.2-P2
mp_trapd” when there was a configuration change
performed on SNMP.
430861 Health-Mon- Major The global health monitor option at GSLB >> Geo- 4.1.1-P6
itor-Infra Location >> Find >> IP address or >> Geo Location IP
Range was missing in this ACOS release.
430633 aFleX Major The aFleX DNS logging was not working properly 2.7.2-P11
when multiple DNS requests were sent over the same
connection within a short interval. The server
responses started, as back-to-back to the same con-
nection. This resulted in a scenario where only the
first response data was handled properly and the sec-
ond response packet was not processed.
430390 aXAPI Major There was a display error on Web GUI, as the status of 4.1.1-P6
the server changes unknowingly, displaying “Error:
Counter/Stat object is not found in back-end”. The
user was unable to see the following server status
properly: Real-servers, Service Groups, Virtual Ser-
vices, and Virtual Servers.
430312 Web - ADC Major When logging on GUI with partition user credentials, 4.1.1-P7
CGN access to other partitions might not be available.
429854 System - Critical The hardware platform where vThunder is installed 4.1.1-P8
platform must meet the minimal requirements of 4 GB RAM
(more RAM is required if memory-intensive features
are used, such as Jumbo Frame).
429854 System - Critical The hardware platform where vThunder is installed 4.1.1-P8
platform must meet the minimal requirements of 4 GB RAM
(more RAM is required if memory-intensive features
are used, such as Jumbo Frame).
429590 SSL Critical As different encodings are used for different types of 4.1.1-P6
certificates in different areas, CA certificate verifica-
tion may fail when using the hardware SSL module.
429289 L2/L3 Major After performing an upgrade, ports configured for 4.1.4
monitor action are not reachable.
429130 System - Major The admin cannot execute the “backup-periodic sys- 4.1.0-P7-SP2
manage- tem” command if the user forgets the password. To
ment fix, configure another “backup-periodic system” com-
mand, so that it overwrites the previous one.
428971 Router Major The IP RIB table was not properly updated when one 3.2.2-P4
of the ECMP BGP Default paths was withdrawn. This
issue could happen if there was a combination of
Default (0.0.0.0) ECMP paths learned from BGP neigh-
bors, and if there was also the existence of BGP neigh-
bors with the default originate configuration.
428968 VCS Major The user found that the save button icon on the GUI 4.1.1-P5
change color from blue to yellow without any configu-
ration changes and is always showing in yellow, even
though the configuration on the ACOS is saved.
page 193
FeedbackF
Fee
e

A10
428929 SLB-Config Major The TCP based application did not release the con- 4.1.1-P5
nection limit count.
428815 SSL Major The close-notify was not sent for server active-close 4.1.1-P7
sessions. The previous design had limitations in send-
ing close-notify. Upon configuring close-notify on the
server-SSL template, the notification started receiving
as close-notify from the server first (server active-
close), and the close-notify from server-SSL was not
sent.
428344 SLB-Config Major SLB buff-thresh configuration was not applied when 4.1.1-P7
the system was reloaded or rebooted, but it was dis-
played in the running config.
428179 System - Major The axapi/v3/file/aflex file-handle export action does 4.1.1-P8
manage- not work. Please use the GET /axapi/v3/file/aflex/
ment host_switching export action instead.
428164 VCS Major When a "Local" ACOS image was used on VCS, stag- 4.1.1-P8
gered-upgrades failed.
427774 Health-Mon- Major Starting with 4.1.1-P8 and later, the output from the 4.1.1-P8
itor-Infra "show health stats" command showed the health
monitor status with the UP or DOWN reason. In prior
releases, this information existed in several separate
CLI commands, such as "show health stats", "show
health down-reason", and/or "show health up-reason".
427681 SLB-Config Major When the VE interface belonging to the bridge-vlan- 4.1.1-P7
group is disabled and then re-enabled, ACOS displays
the "Backend Error" message.
427228 System - Critical The ACOS device may sometimes lose CLI access, 4.1.2-P3
platform requiring a reboot to gain access. This issue is caused
by new code that was added to support multiple con-
trol CPU. The new code may sometimes cause incor-
rect CPU affinity for the "kworker thread", which then
causes the CLI sessions to terminate at the wrong
time.
427204 SLB-DSR Major L2-DSR requires a TCP template option for “reset-fol- 4.1.0-P7
low-fin” that enables ACOS to close a connection with
RST on the first FIN of a connection.
427198 AAM Major aFleX authorization does not work when used in con- 4.1.4
junction with "GWTR" and AAM authorization.
427135 SSL Major On vThunder platforms, with end-to-end SSL encryp- 4.1.0-P9
tion and a low bandwidth, files are downloaded
incompletely.
427114 System - Major A recent change in the design for shell root access 4.1.1-P6
manage- (with AAA login) impacted the original design. This
ment may cause guest shell access to fail in 4.1.1-Px
releases.
page 194
Feedback

A10
426973 WAF Major In WAF deployments, when running xss-check in "4.1.0-P11
sanitize mode, ACOS could sometimes reload, pro-
ducing the error message: “Invalid Buffer state
change.” The root cause is that any modification to
the HTTP data that reduces the size of the data could
cause ACOS to release the most recent buffer, possi-
bly leading to a “double-free” of that buffer.
426835 Asure Major In ACOS GUI (System > Setting > Logging), the page is "4.1.1-P7
not found. The root cause for this issue is that the log-
ging page does a get on “axapi/v3/partition”, which is
NOT supported in the cloud-based Azure and AWS
environments.
426769 System - Major The ACOS device reloaded after booting the device. 4.1.1-P6
platform
426751 AWS Major When vThunder for AWS was booting up, the time- 4.1.1-P3
zone offset was not correctly applied until NTP was
synchronized. Immediately after booting, the system
clock was running as UTC, but the timezone offset
was applied only after NTP was synchronized. Going
forward, this issue is addressed by prompting the user
to fill in this field.
426322 System - Major On the TH3040 devices with VRRP-A inline mode, the 4.1.1-P8
platform device dropped some packets sent to certain MAC
addresses if the device was in a standby mode. This
could occur if the packets were sent to the MAC
address of Ethernet ports 11 and 12.
426114 TCPIP Major Client FIN was getting dropped. Issue caused by 4.1.4
simultaneous close, where the FIN packet did not
acknowledge the “SND.UNA” of the receiving TCP
stack.
426064 SLB-Config Major If the peer (second) unit in the cluster had the virtual 4.1.1-P5
IP address of the same name but different IP address,
the configuration synchronization failed.
426035 VRRP Major Configuration Sync does not work properly with 4.1.1-P6
DCFW deployments when running 4.1.1-P6. The order
of rules cannot be manually synced.
425872 ConfigMgr Major Tacacs authorization request was resized to take care 4.1.1-P6-SP2
of this problem
425618 SLB-FTP Critical In some long-lasting FTP data sessions, the FTP con- 4.1.1-P7
trol session can sometimes age out before the FTP
session has completed data transfer.
425260 SLB-ICAP Major If multiple HTTP requests are in same connection, the 4.1.1-P8
ICAP request header is corrupted.
425164 Firewall Major Zone information included in Log messages is based 4.1.1-P6-SP1
on the direction which initiates the connection.
424719 SLB-HTTP Critical When aFlow was configured in a virtual port template 4.1.1-P6
and bound to an HTTP virtual port, too many concur-
rent connections could cause a memory leak on 36
blocks. This could happen under scenarios where a
memory block was not correctly freed.
page 195
FeedbackF
Fee
e

A10
424703 SLB-Policy Critical Traffic is incorrectly forwarded to alternate server 4.1.1-P6
when primary server is UP when method src-ip-only
hash is used. This happens when server is up or
down.
424645 Platform Major In the TH3040 and BareMetal X710 10G port, the traf- 4.1.2-P3
fic was stopped when an unconnected or link down
port was disabled or enabled. This issue can also
occur when box gets rebooted.
424156 SNMP Major When SNMP service was enabled on ACOS and a 4.1.1-P3
request was sent for “sysObjectid” the object ID was
not functioning.
424144 Firewall Major When SLB security interface profile was enabled on a 4.1.4
vThunder instance with a DCFW config, a transfer of
50MB file failed from the client when "syn-cookie"
option was enabled under the SLB TCP virtual port.
423872 System Major The error log “Unable to find current UUID” was dis- 4.1.1-P6
Manage- played when “Configure sync” was performed on the
ment ACOS device.
423757 WAF Major There was a duplicate object wafTemplateFormCs- 4.1.1-P6
rfTagSucc in ACOS-WAF-STATS-MIB.mib.
423308 Health Major SLB health monitor did not perform correctly when 4.1.1-P6
Monitor TCP-half-open functionality was configured.
422938 SNMP Major In rare cases, SNMP MIB “acosFwSystemStatus data- 4.1.1-P5
SessionUsed” displays incorrect data.
422833 SSL Major The “forward-proxy-cert-revoke-action” does not 4.1.4
function correctly. SSL traffic was bypassed even
when destination HTTPS server certificates were
revoked when this option was configured as drop.
422515 SSLi Major If software SSL was configured and there was a CA 4.1.1-P6
certificate failure followed by a verify-cert-fail-action
bypass, ACOS system stopped functioning.
421834 SSLi Major Under certain conditions, the connection to the server 4.1.1-P7
was not established in SSLi deployments after the
cert-fetch and OCSP checks. This was because cer-
tain procedures in forward-proxy-inspect affected the
client packets and caused the bypass to fail.
421636 System Major vThunder on KVM cannot establish OSPF neighbor 4.1.1-P3
Platform through SR-IOV. vThunder cannot receive multicast
packets on VE interface. vThunder can receive
multicast packets on L3 interface only if there are two
vThunder instances on the same KVM, one has VE
interface, and another has L3 interface, then both
vThunder devices can receive multicast packets.
421600 SLB-ICAP Major ICAP did not work when the disable-default-vrid option 4.1.1-P6
was enabled for VRRP.
420844 TCP/IP Major The transmit buffers were not released even after 4.1.4
data was transferred and sessions were cleared, as
displayed in the “show slb tcp stack detail” output.
page 196
Feedback

A10
420373 aFlex Major aFleX did not generate a DNS log if the DNS response 2.7.2-P3
included a domain name with more than 250 bytes.
The maximum readable length of an ASCII DNS name
is 253 characters.
420247 GiFW Major When CGN was configured on P1 and GiFW on 4.1.1-P6
partition P2 on an ACOS device, and a client PPTP
connection sent continuous traffic to P1, no replies
were displayed. When traffic was sent to create 64512
full-cone sessions in GiFW, P2 and matching inbound
traffic was sent from the server, ACOS stopped
functioning causing customer network to come down.
420139 System Major ACOS device cannot reload or reboot with the active 4.1.1-P6
Manage- configuration class list, when system resources are
ment used up if more than six million entries are logged.
419848 TCP/IP Major TCP proxy applications such as HTTP and HTTPS did 4.1.1-P6
not close properly on the client-side if the closed state
of the ACOS system was FIN-WAIT1 due to re-trans-
mission issues when the connection was freed.
419197 L2/L3 Major If an interface was created and added as a non-lead 4.1.1-P6
member of a trunk group, the output of the “show
interface brief” command did not display the interface
name. The issue was not seen on a lead port or if the
trunk had only one member.
418963 System Major Turning ACOS device left PSU OFF or ON, displays 3.2.2-P4
Manage- wrong message "System Lower Power Unit" instead
ment of "System Left Power Units".
418468 SLB-Config Major The wildcard IPv6 VIP did not ignore IPv6 HSRP hello 2.7.2-P9
packets. The issue is not seen with IPv4 wildcard
VIPs.
418057 SNMP Major Two extra zero bytes were included in the partition 4.1.1-P5
name when a trunk was configured, and the interface
was up. However, this issue was not seen when Vir-
tual Ethernet was up.
417949 AAM Major The ACOS device failed over during VRRP synchroni- 4.1.1-P5
zation after trying to add a VLAN.
416612 SSL Major N5 SSLi card now supports 64 buffers by default on 4.1.1-P5
A10 Thunder devices.
416518 System Major GARP may be sent from standby box immediately 2.7.1
Platform after standby box is rebooted or reloaded.
415657 L2/L3 Major When configuring an interface trunk, if a name was 3.2.1-P3
configured prior to the trunk group being added to the
VLAN as untagged, the configuration was permitted,
but would not persist after a reload/reboot, but if the
trunk was added to a VLAN as untagged, and then a
name was added for the interface trunk, the configu-
ration would not be allowed.
415099 Health-Mon- Major This bug was caused by a race condition within ACOS 4.1.0-P9-SP3
itor-Infra internal. The effect was that the packets originated
from the host such as the health monitor caused
memory corruption that led to the device reload.
page 197
FeedbackF
Fee
e

A10
415093 GiFW Major Radius attributes were not logged correctly for Appli- 4.1.1-P6
cation Level Gateway traffic for Gi/SGi firewall radius
logging feature.
414874 VCS Major In a VCS environment, in either a shared or private par- 4.1.1-P5
tition, aFlex failed to recognize changes to an existing
aFlex script.
414616 System - Major The TCP backlog counter was not thread safe. 4.1.0-P1
platform
414202 System Major When TH1030 Management Interface was set to 4.1.1-P5
Manage- duplexity 100/ speed Full, the interface showed Half
ment Duplex and remained in "Down" state even after a
reboot.
414188 System - Major A system log error "Failed to get database version" 4.1.1-P6
platform was caused when ACOS was upgraded on vThunder
or Thunder device from 2.8.x version to a 4.1.x ver-
sion.
414073 VRRP Major The VRRP-A "CONFIG SYNC : Completed" message is 4.1.1-P3
displayed as error on standby device.
414037 aFleX Enhance AFlex TCP data was not forwarded from the A10 4.1.1-P5
ment device when a server connection was being estab-
lished.
413908 GSLB Major The gslb member's log message included the string 4.1.0-P9
"Communication error with LB".
413905 GSLB Major GSLB group member did not save the configuration 4.1.0-P9
intermittently after the 'write memory' operation on
the master GSLB device, when the 'Default' startup
profile was used.
413869 WAF Critical WAF argument sanitation failed for requests marked 4.1.0-P10
as Content-Type x-www-form URL encoded when the
arguments were on the request line instead of in the
body text.
413857 GiFW Critical Header value was getting truncated in http log for 4.1.1-P5
fragmented IPv6 requests.
413290 NAT-CGN Major The "show cgnv6 lsn statistics" counted each hit of 4.1.1-P6
"No Class-List Match" as two hits.
412937 AAM Major The ACOS device sent HTTP 1.0 OCSP requests, but if 4.1.0-P9
the OCSP server expected HTTP 1.1, then it would not
work. The reason for this failure was that some OCSP
servers will deny the request if there is no host header
in the OCSP request. This release adds a new com-
mand option to enable HTTP 1.1 OCSP requests.
412714 SLB-Config Major The "ha priority-cost" command is not available for 4.1.1-P8
server configuration.
412700 SSLi Major AX failed to fetch OCSP & CRL by svm-source-nat pool 4.1.1-P7
and virtual server with non-default vrid.
412474 Firewall Major ICMP NAT functionality on ACOS firewall did not sup- 4.1.1-P6
port ICMP traffic.
page 198
Feedback

A10
412295 SSL Major The pki-certificates created in a private partition were 4.1.4
not displayed in the showtech log on a shared parti-
tion.
412177 SNMP Major There is no trap (i.e. axSystemTempLow) raised 2.8.2-P8
when the system temperature falls below the
configured low threshold limit.
411604 GiFW Major "Rerouting failure caused packet drop when the TCP 4.1.1-P5
""half-open-idle-timeout"" option was configured on a
firewall session. This issue was due to a reroute and
DST mismatch with the new and old RADIUS zones.
411227 Web - ADC Critical When "rba enable" is configured, there is no GUI sup- 4.1.1-P5
CGN port for switching partitions.
409870 SLB-ICAP Major ACOS configured as SSLi and running both ICAP and 4.1.1-P6
proxy servers rebooted while browsing the Internet on
a web browser.
407953 SSL Major The SSL cps counter on the ADC dashboard displayed 4.1.1-P3
the value for only server-side SSL connections.
403966 SLB-L4 Major SNMP-based load balancing did not work as 4.1.0-P9
expected. While the script polls the server correctly,
and the servers come up fine, the server weights did
not come up under the real servers.
402686 ACL Critical Unexpected conflict was observed when the "permit ip 4.1.1-P1
any any" and "deny ip any any ethernet x" commands
were executed,
402398 SSLi Major The inside SSLi device does not send SYN packets to 4.1.1-P5
verify certificates via OCSP if the VRRP-A VRID is not
the default value (0).
401803 System - Major When the ACOS system encountered “Crypto board 2.8.2
platform inaccessible” error, the non-FPGA systems were not
getting rebooted. This issue was not seen for FPGA
systems.
401242 SSL Major A10 devices with N5 SSL card can stop functioning 4.1.1-P2
under heavy SSL traffic when a client-SSL template
has a server-name configured.
396229 SLB-Config Major When configuring an application logging template 4.1.0-P9
using the "slb template logging" command with the
option "1 - Enables local logging" selected, log
messages were missing.
394480 System - Critical After a reboot, ACOS might get into a race condition, 4.1.2-P1
manage- causing SSH sessions to hang.
ment
391103 Firewall Major When "force-delete-timeout alive-if-active" was config- 4.1.1-P6
ured on a firewall session-aging template and bound
to active-rule-set it was not possible to establish a
TCP session using SSH even after refresh.
390418 aFleX Critical "When a show tech file was exported to a remote site, 4.1.3
the aflex script content was not included.
page 199
FeedbackF
Fee
e

A10
385726 SSLi When SSLi, ProxyChain, and ICAP were configured on 4.1.1-P4
a dual partition ACOS device, random traffic requests
going out to the internet through SSLi, and requests to
fetch large files from internal servers caused the
device to stop functioning.
368806 SSL Major OpenSSL publishes vulnerability update. 4.1.1-P2
368803 SSL Major OpenSSL published vulnerability update. 4.1.1-P2
365683 System - Critical Memory usage is higher under default session count 2.7.2
Platform conditions than when the l4 session count is higher
than the default value
361228 SLB-SMTP Major After send the EHLO command to a server, if the 2.7.2-P9
server response did not have STARTTLS, ACOS must
not have sent EHLO again to the server because the
second EHLO was only required after the server-side
SSL session was established.
358510 AAM Major ACOS closed connection and back-end server dis- 4.1.1-P1
played 401 response if NTLM relay configured was
4099 bytes or greater.
357826 SLB HTTP Major When the options "idle-timeout 20" and "slb msl-time 2.7.2-P11
10", were used, the session age-out output was
incorrect. When the short idle age was less than 30
seconds, the connection did not enter MSL cycle. The
connection was removed after the idle age expired.
356663 SLB-Config Critical Changing the IP address of an existing virtual-server is 4.1.0-P7
not allowed. The virtual server must be deleted first
and added again with the new IP address.
The workaround is to remove the virtual-server on the
peer before initiating the configuration sync-up.
351220 SLB-L4 Major Under certain conditions, session management could 2.7.2-P7-SP8
take a long time. This delay caused a "watchdog" to
occur, which then caused the ACOS device to reboot.
276415 System - Major Defunct a10class_list_l (classlist) process is not 3.1.3
platform reaped or cleaned up.
260567 L2/L3 Major The physical interface MTU configuration is lost after 4.0.2
device reload.
238438 Explicit Major There was a noticeable delay of 300-1000ms when 4.0.1
Proxy HTTP Explicit Proxy was used to browse. The DNS
response was slow.
231871 SLB-Persist Major Load balancer fails to parse header of empty cookies 2.7.2
for cookies not used for persistence.
27017 System- Major Console login was affected by administrator login 4.1.1-P8
Platform from a trusted host. The console port was impacted,
and ACOS was not accessible, open system session
did not function.
page 200
Feedback

TABLE 14Fixes in Release 4.1.1-P7

A10
ID Area Severity Issue Description Reported
417052 AAA Major In RADIUS configurations, the RADIUS NAS-IP-Address attribute was 4.1.1-P6
incorrectly using a value of 127.0.0.1
416803 L2/L3 Critical The ACOS device did not correctly tag egress frames with the 802.1q 4.1.1-P5
VLAN ID after using the “remove-vlan-tag” command and then removing
it from the config.
416557 System - Major When using the “import-periodic” feature, CRL files in the private parti- 4.1.1-P6
manage- tion were not being updated correctly. This issue was not seen with CRL
ment files in the shared partition.
415121 SLB-L4 Major The “non-syn-initiation” option did not work with L2 DSR deployments, 4.1.2-P2
and the active FTP connection could not be established.
414892 SLB-L4 Major Low throughput was observed for UDP traffic when using Advanced 4.1.1-P6
Traffic Replication. If the packet replication option was configured, and
if the transmit port was part of a trunk, the ACOS device did not use all
ports to send out packets. Instead, ACOS sent the packets out of the
first port.
414208 Health- Critical The “health-check-follow-port” option did not work as expected when 4.1.1-P5
Monitor- there were multiple server ports configured. For TCP health monitoring,
Infra ACOS still tried to send the HM to the original port.
414109 DP-Infra- Major GRE packets configured with PPTP were not counted in firewall logs. 4.1.1-P5-
Vectoriza- Only the first GRE packet was counted. SP2
tion
413732 VRRP Major In VRRP-A deployments, the a10lb process reloaded after configuration 4.1.1-P6
sync if it was using aFleX, which was included in the class-list with file
option.
413461 SSLi Major In Explicit Proxy deployments, the port number of the source NAT pool 4.1.1-P3
for CONNECT requests in the proxy log was incorrect.
412937 AAM Major The ACOS device sent HTTP 1.0 OCSP requests, but if the OCSP server 4.1.0-P9
expected HTTP 1.1, then it would not work. The reason for this failure
was that some OCSP servers will deny the request if there is no host
header in the OCSP request. This release adds a new command option
to enable HTTP 1.1 OCSP requests. (See Support for HTTP 1.1 for
OCSP Requests)
412840 Explicit Major Binding an empty AC class-list to policy template destination rules leads 4.1.4
Proxy to the following error: "Unknown string code: 7ffffffe"
409534 VRRP Major In GiFW deployments, the Thunder device did not successfully create 4.1.1-P5
an ICMP/ICMPv6 session while pinging the floating IP in a VRRP-A pair.
The ping succeeded, but the Thunder device did not create the data ses-
sion.
409146 Firewall Major In DCFW configurations, the local session idle timeout value was not 4.1.1-P6
correct.
page 201
FeedbackF
Fee
e

A10
409050 Firewall Major ACOS with a “fw dest zone” configuration was unable to resolve certain 4.1.1-P6
cases for multicast traffic.
408301 GiFW Major In GiFW deployments, the user needed to be able to toggle (turn on/off) 4.1.1-P5
the extended matching for firewall rule-sets. To address this issue, the
following new CLI command is added to this release: “fw extended-
matching disable”
397996 Web Cate- Major The ACOS CLI or GUI would sometimes hang if network connectivity 4.1.0-P9
gory - URL issues occurred while ACOS was downloading RTU (Real Time
Filtering Updates) from the BrightCloud server. In such cases, the RTU back-
ground thread was not terminated when the “no enable” option, under
“web-category” was invoked.
391189 Firewall Major If a source and destination zones were configured, and traffic was 4.1.2-P2
passed from the client to the ACOS device interface, the “show session”
command did not display any information on the traffic.
386818 Platform Major After reloading or rebooting a Thunder TH3040 model, the 10GB back- 4.1.4
to-back interface sometimes did not come up.
342190 SLB-HTTP Major If the client sent a Patch request to the ACOS device, the device was 4.1.0-P5
stalling and did not initiate a new server-side connection.
This behavior was seen under the following conditions: The client sent a
POST to the ACOS device and the packet was forwarded to the server.
The server responded with a “400 bad request” HTTP status code (indi-
cating that the client's request was somehow corrupted). The ACOS
device reset the server connection and forwarded the 400 message to
the client. At this point, the client sent the Patch and the ACOS device
was stalling.


A10
414196 SLB-Con- Major Browsing to ADC > SLB > Service Groups in the GUI on TH4430 caused 4.1.1-P5
fig the system to stop functioning.
409540 SLB Critical When IP NAT pool gateway is configured, if the wildcard virtual port 4.1.0-P11
uses "source-nat auto" configuration, ACOS stops functioning.
408985 CGN- Major Occasionally, in CGN configurations, when ACOS performed Round 4.1.0-P3
NAT44 Robin and received a fragmented TCP reset packet, ACOS required a
reset.
page 202
Feedback

A10
401635 Health Major ACOS did not close TCP health monitor sockets gracefully in a DSCP- 4.0.3-P4
Monitor- based L3-DSR setup. FIN from server was not acknowledged. Addition-
DSR ally the RST sent out by ACOS did not have the correct DSCP bit set so it
was ignored by server. This caused the socket to stay open on server
and resulted in connection issues when ACOS tried to reuse the source-
port for subsequent health monitor connections.
399394 System- Major For the A10 TH3030S model, the change in link status from up to down 4.1.1-P3
Platform was not detected immediately. It required about four seconds to detect
the link after the link partner port was disabled. The issue was specific
to ixgbe-based NICs.
Four seconds was the default link check timeout configured to avoid
link flapping detection. The timeout value is now reduced to avoid the
issue.
399367 System- Major When upgrading from 2.7.2 to 4.1.1-Px, the ciphers TLS1_R- 4.1.1-P3
Platform SA_AES_128_GCM_SHA256 and TLS1_RSA_AES_256_GCM_SHA384
are removed.
(This issue is addressed in 411-P6.)
403180 HW Major On the A10 TH3040S model, the output of the “show log” command dis- 4.1.1-P5
played a fan failure.
385666 HW Major The location number of the fans on the A10 TH3040S was incorrect. 4.1.1-P3
408298 aFlex Enhanc In 41x releases, the aflex_per_conn_data grew from 252 bytes in 272 to 4.1.1-P5
ement 373 bytes in 4.x.
Since this structure used conn session memory, conn type jumped from
3 to 4 (256 bytes pool to 512 pool). The system was unable to scale to
1M sessions on models such as the A10 TH4440S system.
397535 L2/L3 Major The member port of trunk in a “down” state was incorrectly transitioned 4.1.2-P2
to up. If another port in an “up” state was added to the trunk, then the
trunk state also changed to “up”.
279823 NAT-CGN Major The syslog session leaked when aged out. 2.8.2-P3
387085 ConfigMgr Major The ACL did not sync correctly under any of the following conditions: 4.1.0-P7
• An updated ACL was bound to the wildcard VIP.
• The original ACL had VLAN settings.
• Configuration sync was required to update the ACL sequence.
As a workaround, manually erase service-config and then attempt to re-

sync.
397312 NAT-CGN Major Stack trace printed while avalanche client sent traffic. 4.1.2-P2
404161 Counter- Major Some aXAPI failed with an error ACOS OPER BUFFER is corrupted by 4.1.1-P3
Infra app layer.
399799 System- Major The latest httpd CVE fixes for CVE-2017-3169, CVE-2017-7679 are now 4.1.2-P3
platform available.
page 203
FeedbackF
Fee
e

A10
407533 VRRP Major The “ha-dynamic” command under virtual-server configuration was 4.1.1-P6
available in ACOS version 2.7.2. This command was removed in the
ACOS version 4.0.0. The command is now re-introduced from ACOS ver-
sion 411-P6 onwards.
397852 NetFlow/ Major The configuration for source-address ip was missing from the netflow 4.1.1-P3
SFlow monitor configuration.
410497 SNMP Major The MIB axSysFanStatusTable did not work for FAN5A and FAN5B 4.1.1-P5
for the Thunder model TH3040.
409666 SSL Major Removing the SNI configuration from a client-SSL template by using the 4.1.1-P4
CLI made ACOS reload.
As a workaround, import and overwrite the same configuration without

the SNI in the client-SSL template.
408748 SSL Major The certificate revocation list (CRL) check did not work in software SSL 4.1.1-P3
for AOCS version 4.1.1 and later. OpenSSL limits the size of the CRL file
to 1 MB. If the size of the CRL file is more than 1 MB, the CRL check
fails.
As a workaround, reduce the size of the CRL file to 1 MB or less.

408070 L3V Major If a shared partition and an L3V partition were connected in the same 4.1.1-P3
L2/L3 subnet, when the VRRP status became active for all the partitions
at once, the shared partition sometimes sent GARP for floating/NAT IP
addresses configured in the L3V partition.
407779 SLB-NAT Minor When two VIPs used auto source-NAT (also known as Smart NAT) in a 4.1.0-P5
configuration where VRRP-A was enabled, deleting the VRRP-A floating
IP address caused an IP traffic failure that persisted even if the floating-
IP address was restored.
407575 SLB-Con- Critical Updating an ACL bound to a wildcard VIP was improperly prohibited 4.1.1-P1
fig from being modified.
407365 Web - ADC Major When typed, the web SMTP password was not displayed as encrypted. 4.1.0-P9
CGN
407339 Web - ADC Critical If an SSLi license was not configured for the ACOS system, the GUI did 4.1.2-P5
CGN not display the OCSP option under ADC >> Template >> SSL >> Cli-
ent template . OSCP, was however, available in the CLI.
407137 TCP/IP Major For the SLB auto-reselect feature in ACOS version 2.7.x, the actual retry 4.1.1-P5
number is calculated as the value of the number of syn-retries config-
ured in the template divided by the number of active server members.
However, in ACOS version 4.x, the actual retry number was calculated
as equal to the number of syn-retries configured in the template. The
value was not dependent on the number of active server members.
406816 Platform Major The 1G port LED glowed green even after being disabled when inserting 4.1.1-P5
the 1G SFP into the 1G port.
406645 System - Major Syslog messages reported non-existing port entries that also contained 4.1.1-P4
SNMP incorrect priority levels.
406633 SLB-Con- Major The “show session persist” CLI command did not display complete 4.1.2-P3
fig IPv6 addresses.
406579 NAT- Major Sessions were not removed when FIN was followed by RST. 4.1.1-P2
NATPT
page 204
Feedback

A10
406576 Scaleout Major If more than 50% of the nodes in a scaleout cluster were rebooted, the 4.1.1-P5
remaining scaleout nodes disappeared from the traffic map and were
not displayed when the “show scaleout” command was used.
As a workaround, reboot the devices in the cluster that were not initially
rebooted.
406450 System - Major When starting up, the Thunder 3430 model, running ACOS 4.1.1-P1, 4.1.1-P6
platform raised some critical system voltage logs. For example:
Sep 20 2017 09:10:50 Info
[SYSTEM]:System Voltage VBAT 3.3V is OK.
Current value is 3119
Sep 20 2017 09:10:50 Info
[SYSTEM]:System Voltage AVCC 3.3V is OK.
Current value is 3243
406393 Web - Critical On deleting the server port, the associated RRD files were not automati- 4.1.0-P9
ADC/ CGN cally deleted from the ACOS device.
405850 System - Major The callback function for regular expression handled the last character 4.1.1-P6
manage- of log messages incorrectly by ignoring it. Matching failed if the key-
ment word was the last word of the log message.
405439 IPSec VPN Major An enabled health monitor that used port 500, 4500, or 4510 as the 4.1.0-P9
source port failed because its response packet was consumed by the
daemon.
405325 Explicit Major FTP explicit proxy improperly used the route lookup to destination to 4.1.1-P6
Proxy route traffic. The correct method is to select a next-hop through the ser-
vice-group forward policy action.
404684 L2/L3 Major For SLB UDP traffic, the LACP or trunk was not getting load balanced. 4.1.1-P3
404377 TCPIP Critical When an A10 device sent a full payload (window probe) packet in 4.1.0-P6
response to a TCP zero window, some firewalls dropped the connec-
tion. The window probe is now changed to improve interoperability.
404134 SNMP Major The OID subtree acosRootStats was not defined in the A10-AX-MIB. 4.1.1-P6
There was no sub root available for CM sub-agent.
404113 ConfigMgr Major Some object descriptors in the generated MIB files for ACOS version 4.1.1-P5
4.1.1-P5 contained the underscore character "_", which is prohibited to
be used for SNMP.
403828 Router Major The BGP “aggregate-address” command did not work after reloading 4.1.2-P1
or rebooting the ACOS device.
As a workaround, after rebooting the device, add back the “aggregate-

address” command to the configuration. Alternatively, you can add the
route-map binding to the NAT-map redistribution by entering the CLI
command “no aggregate-address IP-ADDR summary-only” and
then the command “aggregate-address IP-ADDR summary-only”.
You can also enter the “no redistribute nat-map route-map
RM_MAP_BGP” command, which results in the redistribute NAT-map in
the running-config, and then enter the “redistribute nat-map
route-map RM_MAP_BGP” command.
page 205
FeedbackF
Fee
e

A10
403528 NAT-CGN Major If an FTP session was initiated for Static NAT IP, then the FTP payload 4.1.1-P2
was not NAT-ed. This led to failures in data connection in both active
and passive modes.
403000 Platform Major After the device reloaded or rebooted, the port stayed on even though it 4.1.2-P2
was disabled in the startup configuration.
402967 Firewall Major By default, CFW creates local sessions for the outgoing BGP connec- 4.1.1-P5
tions to a remote peer. However, the age of the local sessions was not
updated properly and the sessions timed out if they exceeded 60 sec-
onds. As a result, the RX BGP packets were dropped due to a session
mis-match.
As a workaround, explicitly configure a rule to match the BGP connec-

tions with the remote peers.
402725 aXAPI v3 Critical When a deployment had many servers and virtual servers, retrieving 4.1.1-P4
data by using the aXAPI failed because of the large chunk size. In older
releases 4.1.1-P2 and 4.1.1-P3, the chunk size was 8192. However,
beginning with release 4.1.1-P4, all data was sent in one chunk, thus
causing the client to send a RST packet, which reset the connection, due
to the reduced window size.
402398 SSLi Major The inside SSLi device did not send SYN packets to verify certificates 4.1.1-P5
through OCSP if the VRRP-A VRID was not the default value (0).
401875 aFleX Major The HTTP::respond implementation automatically encoded the data to 2.7.2-P11
the default utf-8 character set. If the data was encoded to another
character set, the response content got corrupted.
401479 Explicit Major Explicit proxy did not forward packets properly when the policy template 2.7.2-P10
Proxy option forward-to-internet was configured and there was a
medium or larger transfer of packets.
401230 SLB-ICAP Major In ICAP deployments, the ACOS device sometimes reloaded when 4.1.0-P9
ICAP REQMOD was enabled and the post file was sent.
400294 VRRP Major The command “ping floating IP” did not work for L3V partitions 2.7.2-P10
with ID 46 and above.
399790 SLB-Con- Major The various ACOS templates were spread across different areas in the 4.1.0-P9
fig CLI configuration. Now, they are grouped in a more intuitive way.
397945 Firewall Major GRE packets configured with PPTP were not counted in firewall logs. 4.1.1-P2
Only the first GRE packet was counted.
397873 L2/L3 Major In slowpath code, VLAN checks dropped packets arriving with a wrong 2.7.1-GR1
VLAN tagged on a tagged port. However, an ACL session was
established that sent the packet through the same wrong VLAN and
port. The subsequent session was established through fastpath, which
did not have any VLAN checks that blocked incorrectly tagged packets.
397453 SLB-ES Major When ICAP REQMOD was enabled and a post file larger than 15 MB 4.1.0-P9-
was sent, the session did not complete. SP2
397414 SSLi Major The SSLi device intermittently intercepted domains defined in the 4.1.1-P1-
web-category. SP1
As a workaround, define domain under class-list.
396076 SSL Major ACOS Thunder device (with N5 x 2 core) was getting a hardware ring full 4.1.3
counter that was incrementing intermittently and unexpectedly. This
could have caused performance degradation if there were too many bad
requests.
page 206
Feedback

A10
394726 SLB-L4 Major Wildcard VIP traffic was unexpectedly forwarded to the default route for 2.7.1-GR1
L4 traffic when the ip nat pool command was used to explicitly
configure a gateway (ip nat pool xyz 10.1.1.10 netmask/24
gateway 10.10.15.15).
394408 SLB-ICAP Major An issue sometimes occurred for ICAP response request lines that 4.1.0-P9
crossed multiple packets, wherein the port number was added twice on
the REQMOD packet
394054 SLB-ICAP Major In ICAP deployments, if attempting to POST a large file, the connection 4.1.0-P9
sometimes failed and an error message “connection proxy queue
depth exceeds the limit (60001)” was displayed. This issue was
caused by the ACOS device running out of buffer space for larger
packets, because the device must first send all packets to the Internet.
390892 System - Major On Thunder 840 models, switching between the menu tabs on the GUI 4.1.1-P3
platform caused the Control CPU usage to spike unexpectedly.
393896 NAT-CGN Major When ACOS is configured as CGN, a part of the fixed NAT port mapping 4.1.1-P2
files were generated with incorrect links.
388861 Web - ADC Major Attempts to upload the complete certificate chain from the GUI resulted 4.1.1-P2
CGN in uploading only the server certificate.
388072 AAM Major Enhancement to increase the aflex attr size for AAM. 4.1.0-P4
387072 aXAPI v3 Critical AXAPIv3 did not support configuring sync with auto-authentication. 4.1.1-P2
382330 aXAPI v3 Major When using aXAPIv3 to send a write memory request, the ACOS device 4.1.1-P2
returned an error message “Communication error with LB
process.” This issue occurred under the following conditions:
• If the destination was local.
• If the profile did not exist in the saved startup profile.

381526 ConfigMgr Critical RBA logic accessed a NULL pointer and caused a10cfgmgr to fail. 4.1.0-P8
380923 SLB-HTTP Major The connection reservation counters were not properly updated when 2.7.2-P10
strict transaction switching was triggered. This caused the conn-limit
feature to not work properly.
374228 SSL Major In SSLi deployments, the current counter sometimes showed a negative 4.1.1-P2
value in the output of the “show slb ssl-counter” command when
handling SSL traffic.
370048 SLB-Con- Major Service groups members that were in disabled status when added 4.1.1-P6
fig through aXAPI improperly accepted traffic.
360788 Web - ADC Major In SSL configurations, the ACOS device did not support the ability to 4.1.0-P8
CGN view, delete, or export the Certificate Signing Request (CSR) by using the
GUI.
As a workaround, use the CLI to handle any of such operations involving

the CSR.
368800 SLB-HTTP Critical When using a virtual port configured for port-based HTTP cookie-based 4.1.1-P6
persistence, a cookie submitted to the virtual port with the correct name
was trusted without validating that the IP provided was part of a
mapped service-group. The only restriction was that the illicit target
must be defined as a server in the same partition configuration as the
VIP.
page 207
FeedbackF
Fee
e

A10
368395 Health- Critical In DSR configurations, the health check failed because the server was 2.7.2-P10
Monitor- dropping the HTTP request. The host header in the HTTP health monitor
Infra was incorrect under DSR if the “override-port” option was
configured under the health monitor.
366739 SLB-Diam- Major If more than 8 NAT pools were configured, the source-NAT resources 2.7.2-P9
eter used to provide Diameter services were not being released back to the
NAT pool. Eventually all NAT pool resources were used up.
361486 SSL Major In software based SSL, SSL session cache hits refreshed the SSL 2.7.2-P9
session reuse cache timeout. This improperly prevented session cache
timeouts.
359863 Health- Major The Database Health Monitor (Oracle) did not work in any L3V partition, 4.1.1-P1
Monitor- but the shared partition had no issues.
Infra
350398 SLB-L4 Major The Alternate Server feature was not working as expected. If the 2.7.2-P9
primary server was disabled at the service-group level (and then
rebooted), the alternate server was never chosen. However, if the
primary server is disabled at the server level (and then rebooted), this
behavior is NOT seen, and the alternate server is chosen, as expected.
349387 SLB-DNS Critical When ACOS received a TCP packet with payload length more than the 4.1.0-P5
expected DNS payload size, a reset was sent to the client and server.
330343 SLB-NAT Major Traceroute operation via ICMP method (IP SLB or IP NAT config) on 4.1.0-P2
certain FTA platforms does not display intermediate host located
between ACOS device and destination server.
313357 System- Enhanc Periodic showtech collected for the backup log caused occasional 4.1.1-P5
platform ement spikes in the control CPU. The majority of the CPU cycles were
consumed while dumping the management plane socket information
that was part of each showtech. This process is now optimized to
minimize the CPU overhead.
276415 System - Major For any AOCS system running as a TPS solution, defunct 3.1.3
platform a10class_list_l processes were not being regularly killed.
page 208
Feedback


A10
400573 SLB-State- Major The ACOS device reloaded after configuring stateless UDP with the 4.1.1-P3
less “stateless-src-dst-ip-only-hash” option configured on an IPv6 wildcard
VIP. This issue was caused by an issue in the TTL/hop-limit decrement
code, and the bug was triggered when the hop-limit or TTL value was
equal to 0.
400540 SLB-Plat- Major CGN performance degradation occurred on AX 5630 devices after 4.1.1-P4
form upgrading from 4.1.1-P3 to 4.1.1-P4 (build 8 and later).
400315 NAT-CGN Major In CGN Fixed-NAT configurations, the ACOS device sometimes 4.1.1-P4
reloaded. This reload was caused by an internal issue in the calculation
of the End IPv6 address in the IP-list. The issue occurred if the prefix
count number was more than 256.
400028 L2/L3 Critical After enabling the LACP trunk (with tagged VLANs), the trunk status 4.1.1-P4
would not remain up. This issue was only seen on Thunder 4430, Thun-
der 5430, and Thunder 6430 models.
400018 Explicit Major In Explicit Proxy deployments, when using the drop action in the “for- 4.1.1-P4
Proxy ward-policy”, the logs generated always showed “port 0” instead of dis-
playing the correct port information.
399823 VRRP-A Major VRRP-A stopped sending out the VRRP-A heartbeat negotiation packet. 4.1.0-P9
This issue happened if the VRRP-A interface was a VLAN member and if
any of the options were removed from the
“vrrp-a interface” section of the configuration.
399655 VRRP-A Major In VRRP-A deployments, the new certificate was not used after the 2.7.2-P11
ACOS device performed an “ha sync” operation from the standby to the
active device. However, the GUI and CLI erroneously indicated that the
ACOS device was using the new certificate.
398699 SLB-Con- Critical With HTTP explicit proxy, an incorrect URL was sent to the server. This 4.1.0-P9
fig issue was caused by an incorrect copy operation. This issue occurred
while the ACOS device was attempting to convert an absolute URL to a
relative URL before forwarding the request to the server.
397486 SLB-Man- Critical The license on the TH 3040 device changed from a CFW license to an 4.1.2-P3
agement ADC license unexpectedly. This issue manifested with the serial number
becoming “--” and the license indicating ADC instead of CFW. This issue
occurred after upgrading the devices from release 4.1.1-P2 to 4.1.1-P3.
395599 DDoS Critical On the Thunder 14045 devices, the fans and voltages were getting 3.2.2-P1
“debounced” infinitely. This meant that if a fan failed, the user would not
be notified.
page 209
FeedbackF
Fee
e

A10
395002 System - Critical VCS failed to establish a scale out cluster. This issue occurred because 4.1.2-P2
Platform one of the TH-3040S nodes in the VCS cluster booted up incorrectly.
The device did not have the correct serial number, and for unknown rea-
sons, booted with
"Serial Number: ........" and
"Hardware Manufacturing Code: ....00"
390559 System - Critical The ACOS device was not responding after upgrading from 2.7.2 to 4.1.0-P9
Platform 4.1.X. This issue could be triggered by upgrading the compact flash (CF)
and hard disk (HD) from 2.7.2 to 4.1.X on a new device, and the issue
became apparent following reboot.


A10
398238 Explicit Critical ACOS reloaded when configured as an explicit proxy on encountering 4.1.1-P3
Proxy an invalid URL on the A10 TH3040S model.
397996 Web Cate- Major The ACOS CLI or GUI would sometimes hang if network connectivity 4.1.0-P9
gory - URL issues occurred while ACOS was downloading RTU (Real Time
Filtering Updates) from the BrightCloud server. In such cases, the RTU back-
ground thread was not terminated when the "no enable" option, under
"web-category" was invoked.
397951 SSL / Major When sending IMAP over STARTTLS, the ACOS IMAP proxy received a 4.1.1-P3
IMAP separate two bytes "\r\n" after SSL decryption. However, ACOS did not
support the ability to parse the "APPEND" command. Therefore, the
"APPEND" message was split across multiple packets, and the second
packet was not forwarded to the server.
397936 CGNv6 Major When SYN packets were re-transmitted on the session, CGN logging 4.1.1-P3
double-counted the length of the re-transmitted SYN packets.
397636 Platform Major The error message, "unary operator expected" appeared in the console 4.1.1-P3
output after upgrading to 4.1.1-P3 from 2.7.1-GR1-P1. This error mes-
sage appeared when a certain "if block check" was evaluated in the a10-
boot script, and it was only seen on non-FPGA devices that had the "l4-
session-count" option configured.
397483 aXAPI v3 Major Unsuccessful configuration of an access list resulted in a 100% CPU 4.1.1-P3
usage after running the "show access-list" command.
page 210
Feedback

A10
397335 AAM Critical AAM uses some APIs of the “HTTP::collect” method. However, the col- 4.1.1-P4
lected payload data was incorrectly reset at the end of AAM process,
and this caused the “HTTP::payload” method to malfunction.
397296 AAM Major The ACOS device allowed configuration of an aaa-rule with "no auth- 4.1.1-P4
template" for authentication bypass. However, if an aFleX script was
also configured with "HTTP::collect", the ACOS device replied with an
error message.
397279 System - Major False positive logging messages are generated every 90secs and fixed 4.1.1-P3
platform with correct logic and reporting.
397270/ DDoS Critical On the Thunder 14045 devices, the fans and voltages were getting 3.2.2-P1
395599 “debounced” infinitely. This meant that if a fan failed, the user would not
be notified.
397252 VCS Major Doing a backup system restore, followed by rebooting the ACOS device, 4.1.0-P9
did not restore the original config sync number, which was captured
when the backup system was taken. The VCS config sequence num-
bers did not match, and this caused the vMaster and vBlade configura-
tions to become desynchronized.
396787 SSLi Enhanc In prior releases, the cert and ca-certs were located in different loca- 4.1.1-P4
ement tions, so the “import-periodic” option only be applied to server certifi-
cates. In this release, the “import-periodic” option now supports the
ability to update the ca-cert bundle that is used in SSLi configurations.
396560 SLB-L4 Major In SLB deployments, if the "src-ip-only-hash" method was used in a ser- 4.1.1-P3
vice-group, then the slb alternative server was used, even if the primary
server was UP.
396340 System - Major The position of the power units on the TH3040S device appeared to be 4.1.2-P2
platform reversed. According to the output of "show environment" command,
from the front side view, the position must be:
~ Right Power Unit, Left Power Unit
However, the output of the "show log" command indicated that the posi-
tion was:
~ Left Power Unit, Right Power Unit

395896 SLB-HTTP Major If the content-length header was not present in the HTTP response 4.1.1-P3
packet (for example, chunked-encoding), with the logging template, the
packet length was logged as a very large number instead of "-".
395767 SSLi Major There were memory leaks on the server side when SSL renegotiation 4.1.0-P9
was triggered without successfully finishing.
395452 aFleX Major If cookie persistence and aFleX are both used at the same time, then 4.1.1-P4
aFleX wins. While this is the expected behavior for the match-type ser-
vice group, it is not the correct behavior for server or port. The behavior
is fixed such that cookie persist now takes priority with match-type
server or port, and aFleX takes priority with match-type service-group.
The behavior is corrected to be the same as the ACOS 2.7.2 release.
page 211
FeedbackF
Fee
e

A10
394942 SLB-Con- Major Configuring the "ignore-tcp-msl" option in a virtual port template did not 2.7.2-P9
fig work if hardware syn-cookies were being used. The "ignore-tcp-msl"
option allows the ACOS device to immediately re-use the TCP socket
after the session terminates, but without waiting for the MSL time to
expire. However, the issue with hardware syn-cookie is that the CPU
does not see the SYN packet from the client. The first packet the CPU
sees is the ACK packet from the client (but this is received before the
session is officially established).
394861 Config- Major At the real port configuration level, when the user entered the abbrevi- 2.7.2-P12
Mgr ated CLI command "en" (for "enable"), ACOS returned the prompt to
the previous level without enabling the real port.
In addition, ACOS displayed the following incorrect error message: "%

Unrecognized command. Invalid input detected at '^' marker."
394727 VRRP Major In VRRP-A deployments, when modifying the class list and using the 4.1.1-P4
"configure sync" command to push the config from the Active to the
Standby device, the output from the "show class-list" command contin-
ued to display the old content and did not show the modified class list
file on the running config.
394714 SSLi Major With SSL3 disabled by default in 4.1.1-P4, if the client request used 4.1.1-P4
SSL3, then the request was not successful.
394411 Web - ADC Critical ACOS did not allow users with Partition Read/Write permissions to cre- 4.1.1-P3
CGN ate a VLAN from the ACOS GUI. This issue could be seen by navigating
to the Network >> VLAN page, and clicking the Create button.
393973 GiFW Major With GiFW logging, the RADIUS attribute logging was broken for HTTP 4.1.1-P4
and custom attributes.
393760 Health- Major If an FTP banner was large and spanned across multiple packets, the 4.1.0-P7
Monitor-L7 ACOS device did not send the FTP password with the health check.
393424 Router Major Loss of Designated Router (DR) due to a dead timer resulted in the link 4.1.2-P2
state database (LSDB) inconsistencies.
393313 CGN-LOG- Major Receipt time (RT) value in firewall logging messages must have indi- 4.1.2-P2
GING cated a more meaningful value.
392968 HA Major When performing "configure sync" to a peer device, the ACOS GUI dis- 4.1.1-P4
played a yellow warning message prompting the user to reboot/reload
device. This error message persisted even after rebooting the peer
device, which could cause confusion.
392650 ConfigMgr Critical In aVCS environments, when some "clear" commands were executed 4.1.0-P10
on the vMaster under the device-context of a vBlade, the "a10cfgmgr"
process reloaded.
page 212
Feedback

A10
392452 IPV6 Tran- Major In CGN deployments, ACOS experienced high CPU usage and the device 4.1.1-P3
sition became unresponsive if:
1) there were multiple control CPUs being utilized, and
2) there was no traffic on the sessions, and
3) user was attempting snmpwalk with the following:
axIpNatLsnTop5PrivateIpAddrTotNumTcpPorts
axIpNatLsnTop5PrivateIpAddrTotNumUdpPorts
392021 Health- Major In rare instances, a health monitor reload was caused by the LOG code. 4.1.1-P4
monitor- Workaround: Change the sequence of the parameters of HM_LOG.
infra
392020 SSL Major SSL memory leaks occurred with the N5 SSL card if the ACOS device 4.1.1-P2
was under traffic loads that were heavy enough to overwhelm the hard-
ware's capability.
391570 SSLi Major In SSLi configurations, if the signature algorithm used by the real server 4.1.0-P9
was not recognized, the forged certificate would use SHA1 as the signa-
ture digest algorithm.
391037 Web - ADC Major ACOS experienced high control CPU utilization rates if the device had 4.1.1-P2
CGN more than 10,000 services and if the user attempted to use the GUI to
navigate to the following page:
ADC >> SLB >> Virtual Services

390973 GiFW Major In GiFW configurations, the Framed-IPv6-Prefix attribute was not 4.1.1-P3
logged if bits outside the prefix were not "0" padded. This issue could
occur if the ACOS device was receiving an IPv6 prefix which was less
than the expected 128 bits.
390892 System - Major On Thunder 840 models, switching between the menu tabs on the GUI 4.1.1-P3
platform caused the Control CPU usage to spike unexpectedly.
390733 NAT-CGN Major When PPTP traffic was running, "stack trace logs" appeared. 4.1.1-P3
390703 Explicit Major In Explicit Proxy deployments, an issue occurred when the server was 4.1.1-P2
Proxy attempting to redirect HTTP requests to HTTPS, and the client sent a
"CONNECT for HTTPS" request on the same connection. The CONNECT
request must be forwarded to port 443, but was mistakenly forwarded
to port 80.
390625 CGN-LOG- Critical After enabling ALG support for RTSP, when client port information was 4.1.1-P3
GING missing from the response for client RTSP SETUP messages, memory
corruption might occur.
page 213
FeedbackF
Fee
e

A10
390601 Firewall Major In firewall deployments, when the ACOS device receives a RST packet 4.1.1-P2
against a half-open session, the firewall dropped the packet and the
data session became stuck. In such situations, the firewall only
accepted SYN+ACK packets.
Ordinarily, if a client attempts to connect to a closed TCP port, the

server must respond by sending a RST packet. However, in such firewall
deployments, the ACOS device erroneously accepted the SYN+ACK
packet "only in reverse traffic after the SYN packet" so that the RST
packet was dropped. Therefore, the client never received the notifica-
tion that the TCP port was closed, so it kept retransmitting the SYN
packet.
389725 Firewall Major When traffic hit the ACOS firewall, the session age information for non- 4.1.1-P3-
PPTP GRE traffic was not updating in the output of the "show session" SP1
command. Instead of increasing over time, the value for these
"Unknown" sessions did not change.
389665 SLB-HTTP Major ACOS SSLi failed when sending an image with iMessage. Small text 4.1.0-P9
passed through without issue, but transmission failed when attempting
to send larger files, such as images.
The iMessage is a large chunked PUT request that contains a trailer (X-
Apple-Content-MD5). ACOS was unable to parse this trailer correctly,
and that prevented the device from forwarding the message.
389338 CGN-LOG- Major When the RADIUS table was blank, RADIUS attributes configured with 4.1.1-P3
GING "0000" were not included.
389455 System - Major Checking for resource value before system resource numbers are cre- 4.1.1-P2
platform ated for first-time booting from 2.8.2 to 4.1.1-P2.
389144 GiFW Major Non-TCP/UDP Firewall sessions did not refresh properly, even when 4.1.1-P3
there was live traffic going through the ACOS device.
389098 GiFW Enhanc The "source-address" option was not available under "fw template log- 4.1.1-P2
ement ging", so it was necessary to use the "source-address" option under
"cgnv6 template logging" as a workaround. This issue is fixed in this
release.
387967 L2/L3 Major Since concurrent session count was not freed for fragmented IP-NAT 4.1.1-P3
traffic, it was observed that the resource-usage exceeded its limit even
though not many sessions were shown on the session counter.
387898 Firewall Major In Firewall deployments, the TCP Handshake was getting dropped if the 4.1.0-P9
Explicit Congestion Notification (ECN) was enabled.
If the client had the TCP ECN feature (see RFC 3168) enabled, the cli-
ent's SYN packet had the ECE and CWD flags set.
However, the SYN+ACK response only had the ECN bit flagged, so the
ACOS device wrongly dropped these packets, which caused the TCP
handshake to fail.
page 214
Feedback

A10
387751 AAM Major When AAM was used with Explicit Proxy and SSLi, after Proxy-Authenti- 4.1.1-P3
cation was complete, then AAM rejected the HTTP request after
attempting to run the CONNECT method.
387535 aFleX Major When using aFleX with global arrays, and upon checking if the URL 4.1.1-P2
matched against the array variable using the TCL "info exists" function,
the global array variable could no longer be accessed. This issue could
happen after running traffic for some time.
387429 aXAPI v3 Critical When using aXAPIv3 to configure sync with auto-authentication, the 4.1.1-P2
command executed twice but failed to execute the second time.
387376 GiFW Major When configuring a firewall logging template that enabled HTTP log- 4.1.1-P2
ging, IPv6 fragmented HTTP traffic was dropped.
386812 SSLi Critical In SSLi deployments, the outside ACOS device sent a FIN packet if both 4.1.1-P4
aFleX and proxy chaining were configured at the same time.
386539 L2/L3 Major The same link-local IPv6 address could not be configured as both a 4.1.1-P2
floating IP and a next-hop IP for a route.
386404 Firewall Major The firewall TCP window check feature worked improperly for IPv6 frag- 4.1.1-P2
ment traffic. This caused the firewall to unexpectedly drop packets on
TCP sessions for IPv6 fragments.
385765 Firewall Critical Random ports appeared in the "show session" output for the firewall if a 4.1.1-P3
large volume of TFTP traffic was sent to the SLB-TFTP virtual port.
385609 SLB-ICAP Major In ICAP configurations, if the original HTTP request line was very long, 4.1.1-P2
the 200 response from the ICAP server was truncated/broken across
three or more packets.
384730 AAA Major If more than one TACACS server was configured on the ACOS device 4.1.0-SP2
for command authorization and if "tacacs-server monitor" was config-
ured for the TACACS servers, then ACOS was switching between the
two TACACS servers. This, in turn, caused authorization to fail.
384622 Health- Critical The aXAPIv3 only showed 60 items, even when more than 200 health 4.1.1-P2
Monitor- check objects were configured. This is because the “MAX_TLV_COUNT”
Infra is 60.
Workaround: To retrieve all 200+ objects:
1. First time: get items 1-60
2. Then get items 61-120
3. Then get items 121-180
4. And lastly, get items 181-200

384134 CGN-LOG- Major In CGN deployments, the port-batch-v2 log of format default and com- 4.1.2-P1
GING pact was incorrect.
384115 Web - ADC Critical The ACOS GUI returned an "Invalid Authentication" error message, even 4.1.1-P2
CGN if the login credentials were entered correctly.
page 215
FeedbackF
Fee
e

A10
384112 Web - ADC Major The ACOS GUI did not support NAT, proxy, and SLB mode because of 4.1.1-P2
CGN incorrect redirection.
383879 SLB-DSR Enhanc The ACOS device could not select another real server when "src-ip-only- 4.1.0-P7-
ement hash" was used and if the selected server was down for DSR traffic. To SP2
address this issue, the upper limit for the number of backup servers
available for hash persist methods was increased from 7 to 31.
383053 SLB-L4 Major An issue occurred with fluctuating throughput that was related to the 4.1.1-P1-
HRX flush timer setting. This occurred when using a special image SP2
based on 4.1.1-P2.
382936 ConfigMgr Major If a partition on the ACOS device was in block mode, multiple user ses- 4.1.0-P9-
sions must be prevented. However, multiple users were allowed to SP1
make simultaneous modifications to the partition configurations.
382732 System - Major When traffic was running on TH4440 model, output from XAUI8 indi- 4.1.1-P2
platform cated that there was no traffic being load balanced. However, XAUI8 is
an extra link that must not be shown in the first place. This output must
not be displayed in future releases to avoid confusion.
380635 SSL Major The cipher TLS1_ECDHE_RSA_AES_256_SHA384 was not available for 4.1.1-P3
hardware-based SSL, but it was supported for software-based SSL.
380353 Health- Major Background: The nomenclature for cipher suits is inconsistent across 4.1.1-P4
Monitor-L7 SSL templates and SSL health monitors. When defining ciphers under
client SSL templates, the A10-specific cipher names are used, but when
defining ciphers under HTTPS health monitors, the OpenSSL names are
used.
Issue: When attempting to configure a health monitor SSL cipher, ACOS

did not provide an error message if the user entered an invalid SSL
cipher name (such as entering an A10 cipher name instead of the
required OpenSSL name). This discrepancy (and the lack of an error
message) can be confusing for users.
379291 VRRP Major In VRRP-A deployments, the "enable" command (under "vrrp-a com- 4.1.1-P2
mon") was not synced to the standby ACOS device if the "disable-
default-vrid" option was configured on the Active device.
377908 L2/L3 Major An unexpected "timeout of draining packets issue" on the 100G inter- 2.8.2-P6-
Broad- face caused the 100G interface to lockup, and the admin could no lon- SP2
com/Mar- ger manage this interface. The lockup condition could only be fixed by
vell rebooting/reloading the ACOS device.
375304 NetFlow/ Major The ACOS device was exporting sFlow packets with incorrect sequence 4.1.1-P1
SFlow numbers. Therefore, the sFlow collector reported that duplicate packets
and out-of-order packets were exported.
374814 System - Critical Debounce is added for all the Sensor IDs to prevent false positive FAN/ 2.7.1-
platform PSU failure log messages. GR1-P1
372049 Web - ADC Major This fix addresses a vulnerability resulting in buffer overflows. 4.1.0-P8
CGN
370735 L2/L3 Major Enabling or disabling a 100 Gbps port that had live traffic flowing at a 2.8.2-P5
Broad- moderate rate caused all outbound traffic to be dropped at the XAUI
com/Mar- level. Once this issue was triggered, the only way to recover the device
vell was to reload.
page 216
Feedback

A10
370535 SLB-L4 Critical The ACOS GUI page displays empty or incorrect values for the following 4.1.2
fields in the CGN performance page (LSN chart with chassis platform):
1. Data Session used shows zero in the master.
2. SMP Sessions used shows zero in the master.
3. TCP NAT Ports free shows incorrect value in the master.
4. UDP NAT Ports used shows zero in the master.
5. UDP NAT Ports free shows incorrect value in the master.
6. Total current connections chart and real time data show zero in mas-
ter.
369292 System- Major On the A10 TH3040S model, the configuration of store name is allowed 4.1.2
platform by using special characters but using it is not allowed. An error mes-
sage for an incorrect string value is displayed.
365098 Firewall Minor The “Data Sessions Used” counter in the output of the “show fw system- 4.1.1-P2
status” displayed incorrect large values shortly after packets were sent.
356662 SNMP Major The displayed memory usage when generated by the CLI and the SNMP 4.1.0-P7
(axSysMemoryUsage) had extreme differences, when they must be
closer in parity.
348940 SLB-HTTP Major If a virtual server was configured for proxy server load balancing, the 4.1.0-P5
ACOS device did not bypass HTTPS requests as it must have. Instead,
ACOS forwarded the CONNECT request to the real proxy server and
when the client sent a "Client Hello", ACOS terminated the connection
with a FIN packet.
348881 System- Critical If the timezone configuration from a device was removed and then a 4.1.2-P2
platform reload was initiated, the timezone information appeared differently
when viewed from the two following pages:
System>>Getting Started>>System
System>>Settings>>Time
The timezone CLI command behavior was changed to fix this. When
configuring timezone with the CLI, the timezone configuration now only
appears in the startup-config after performing a write memory opera-
tion and is not part of the running-config.
347005 L2/L3 Major Interface flapping could occur on the VE or trunk interface if the system 2.8.2-P6
clock was manually configured or if NTP was used. This issue occurred
if the ACOS device had an LACP trunk configured as tagged or
untagged under any VLAN. While there was no workaround for this
issue, the interface flapping typically lasted for a short time while the
system clock was changing.
344842 SSL Enhanc ACOS did not provide an alert message after importing a Thales cert/ 4.1.1
ement key that was created by another device. Such a warning message is
needed to inform the user that the changes will only take effect after a
service restart.
page 217
FeedbackF
Fee
e

A10
311399 GSLB Major In GSLB deployments, the dns-soa-record configuration was lost after 4.1.0-P10
upgrading the device from ACOS 2.7.x to 4.1.x. This issue was triggered
if the dns-soa-record contained the character "@" symbol (for example,
in a name or email address).
307921 SLB-HTTP Major The ACOS device was continually sending "pipelined requests" to back- 2.7.2-P8
end servers, even if the response from the service indicated that the
connection was closed.
226423 GSLB Major In GSLB deployments, the ACOS device did not return CNAME records 2.7.1-P5
when queried by clients. However, the CNAME resource records can be
accessed by configuring the "cname" option under the GSLB policy in
GSLB server mode.
393380 SSL Major The ACOS device did not send a FIN packet to the client when the cli- 4.1.1-P4
ent's HTTPS request was rejected by ACOS in VRRP-A environments.


A10
387481 SLB- L4 Major Deleting an interface on a particular partition seemed to impact all parti- 4.1.0-P5
tions data.
386560 GiFW Normal An incorrect checksum calculation for ICMPv6 error messages caused 4.1.1-P2
the client to drop packets.
386065 System- Normal When setting the temperature threshold on an AX 5630S model so that 2.7.2-P10
platform it will be in the “FAILED” range, the “Physical System temperature2”
always showed “OK” and did not trigger the “FAIL” monitor event. This
issue was specific to the AX 5630S model.
385135 VRRP Normal In LSN VRRP-A configurations, if a failover occurred from Active to 4.1.1-P2
Standby, the session timeout value was still increasing on the new
Standby device.
page 218
Feedback

A10
385120 aFleX Normal The ACOS device reloaded during aFleX compilation due to a formatting 2.7.2-P10
error in an aFleX command. This issue occurred while ACOS was pars-
ing the “persist lookup uie” command, and it only happened if the com-
mand was broken into multiple lines. For example, the issue could be
reproduced with the following configuration:
TH3030S(config)#aflex create test000
Type in your aFleX script (type . on a line by itself when done)
when HTTP_REQUEST {
set p_key [persist lookup uie
{ $value any service } all]
.
385084 GiFW Normal For GiFW, IPv6 GRE packets were handled incorrectly. GRE packets 4.1.2-P1
from one side were dropped although the GRE session was created.
384727 System - Normal On TH6440 platforms, the “big-buff-pool” command was not supported 4.1.1-P2
platform since 6M buffers were already enabled.
384121 GiFW Major Syslog messages for ALG data sessions were not sent out for some 4.1.1-P3
ALGs, such as FTP and SIP.
384115 Web - ADC Critical The ACOS GUI returned an “Invalid Authentication” error message, even 4.1.1-P2
CGN if the login credentials were entered correctly.
383917 Firewall Normal CGN logs included inside RADIUS information instead of outside 4.1.1-P2
RADIUS information, as expected.
383851 Firewall Normal Flexible Traffic ASIC (FTA) models have an extra 4 bytes of packet 4.1.1-P2
length in the fw logs. This caused FW logs to show a different lengths
for the same packet on FTA devices versus non-FTA devices.
383674 SLB-NAT Normal GRE session synchronization with IP NAT PPTP ALG did not work. 4.1.1-P2
383435 System - Critical The 40G port on the TH 4440 model sometimes did not return to UP 4.1.1-P3
platform status after enable and disable the device several times.
383317 AWS Major For vThunder for AWS, the management service did not work on the 4.1.1-P3
data interface.
383038 SLB-Con- Normal The configuration for lids which have no parameter will not be dis- 4.1.1-P2
fig played.
page 219
FeedbackF
Fee
e

A10
382735 Explicit Critical The ACOS device bypassed the client-hello request to the generic proxy 4.1.1-P2
Proxy procedure due to an SSL handshake failure, and the generic proxy mis-
takenly logged the request as an HTTP request.
382705 aFleX Normal A run-time error occurred when attempting to use the persist uie with 2.7.2-P9
the pool <pool name> option. This issue occurred if the <pool name>
was a variable, such as $Poolname.
382636 SNMP Critical ACOS did not support the ability to configure SNMP SLB trap options, 4.1.2
such as "snmp-server enable traps slb" in CGN configurations. The traps
slb options are now available from this release, even in CGN configura-
tions.
381895 SSL Normal If a client's certificate included an unsupported extension (X509v3 Cer- 4.1.1-P2
tificate Policies), and if it was marked “critical”, then the ACOS device the
ACOS device had to reject the certificate. This caused client-authentica-
tion to fail. This issue occurred in normal client-ssl environments.
381835 SLB-HTTP Major In SSLi configurations, the VIP had to re-transmit the HTTP response to 4.1.1-P1-
the client. With HTTP virtual ports, sometimes instead of sending an SP1
ACK packet and then a FIN packet, ACOS sent a FIN-ACK immediately
after the VIP sent an HTTP response to the client.
381791 GiFW Critical FW ALG for PPTP did not work when return traffic for GRE session was 4.1.1-P3
handled by different CPUs that did not match the existing session and
was dropped.
381661 SLB-HTTP Normal On HTTP virtual ports with source NAT configured, the TCP connection 4.1.0-P5
was not closed properly when the client sent a POST. This caused the
server to return a 400 status code.
381465 Firewall Normal When removing a subnet or an object contains the same subnet from 4.1.1-P2
an object-group, the ACOS device behaved incorrectly, causing the con-
figuration attempt to fail.
381406 WAF Major In some rare situations, the ACOS device went into an “infinite loop 2.7.2-P10
state”, with the CPU usage spiking to 100 percent. This could happen if
the WAF received a server response containing corrupted chunked data.
381046 System - Normal Configurations created within a partition were lost if the ACOS device 4.1.0-P9
platform was downgraded from ACOS 4.1.0 (or higher) to an earlier release, such
as 3.2.2 or 4.0.3. This issue could occur if 1) the ACOS device was
downgraded, and 2) a partition was created on the device after down-
grade, and 3) configurations were made inside the partition, and 4) the
device was then upgraded back to 4.1.0 (or higher). The configurations
that was made in the partition while the device was running the earlier
release were lost after upgrading back to 4.1.0 (or higher).
380875 SLB-L4 Normal If VRRP-A was configured on a standalone ACOS device, and “vrrp-a 4.1.0-P9
force-self-standby enable” was used to make the device the standby,
the standby device was still processing traffic (as confirmed with the
AXdebug/debug command).
380401 aXAPI v3 Critical The aXAPI method for creating or updating an Access Control List (ACL) 4.1.1-P3
was not working properly.
380395 VCS Normal When a new vBlade joined a chassis that did not have a floating IP con- 4.1.1-P2
figured, the aVCS floating IP was deleted.
page 220
Feedback

A10
380317 Web Cate- Critical The Web-category command “disable-cloud-query” is enabled by 4.1.1-P1
gory - URL default. However, when this option was disabled, and if the device was
Filtering under heavy traffic, the ACOS device reloaded. This option is used to
request Webroot servers for category information for a particular URL
when the ACOS device does not have the information stored locally.
379671 Firewall Normal When configuring firewall with VRRP-A, the “half-open-idle-timeout” for 4.1.1-P3
FW sessions was not working as expected (with non-default vrid).
379567 VCS Normal In aVCS configurations, on a newly-joined vBlade node, the tagged or 4.1.2
untagged Ethernet configuration under the VLAN was lost.
379279 SSL Normal SSL intermediate certificates that were part of the certificate file were 4.1.1-P2
not being sent out during the SSL handshake.
379234 Config- Normal An FQDN server could not be deleted from the ACOS device if the same 4.1.1-P2
Mgr server exists in both the shared and L3V partitions.
For example, assume the following:
1) An FQDN server was created on the shared partition.
2) Another FQDN server (with the same name) was created in the L3V
partition.
3) Delete the FQDN server on the shared partition.
If you then tried to delete this same FQDN server from the L3V partition,
the operation would fail, and the server could not be removed from the
running config.
If you tried to remove it again, the following error message appeared:

“No such server”. You must reload the ACOS device to remove the
server.
This issue only occurred when using the long form of the CLI command:
"no slb server a10 www.a10networks.com". The issue does not happen
if you use the short form of the CLI command: "no slb server a10".
378649 TCPIP Normal When using TCP syslog servers for CGN logging, some TCP options on 4.1.1-P2
the syn-retry packets were missing or disabled. For example, for full-
proxy TCP SYN retries exceeding 2, the TCP options on the SYN packet
were disabled.
378643 TCPIP Normal When the ACOS device sent a reset packet to the TCP syslog server 4.1.1-P2
(due to retransmit retries), the ACOS device erroneously sent a
PSH+ACK+RST packet, instead of simply sending a RST+ACK packet.
378601 TCPIP Normal When a syslog service was stopped, the service would send a RST 4.1.1-P2
packet for any new attempts to connect. The TCP stack responded
after the timeout with a RST packet. This behavior was unexpected, and
not in accordance with the RFC.
page 221
FeedbackF
Fee
e

A10
378496 CGN-LOG- Major When a client request was TCP-segmented and the .html extension was 4.1.1-P2
GING not included in the first segmented packet, using the “cgnv6 template
logging include-http file-extension” command failed.
Workaround: If the HTTP request URL is shorter than the configured

“max-url-len”, then increase the value of the “max-url-len” option.
378487 Platform Normal Setting the speed to 100/10 and full-duplex caused the interface to go 4.1.1-P2
down on the TH 930 model.
378334 Firewall Normal With a basic Firewall configuration, the TCP SYN packet created a half- 4.1.1-P2
open session on the ACOS device. If a client needed to re-transmit the
SYN packet because the first SYN packet was lost (or for a similar rea-
son), then the retransmitted SYN packet got dropped by the ACOS
device. Since the retransmitted SYN packet was dropped by the ACOS
device, the client had to re-start the TCP connection from the very
beginning.
Workaround: Configure the “tcp half-open-idle-timeout” under the

session-aging template.
378313 CGN-LOG- Normal The byte-count in CGN logging did not show the number of bytes cor- 4.1.1-P2
GING rectly, as it was calculated based on “IP Length” instead of “Frame
Length”.
378007 VRRP Normal In VRRP-A configurations, if the interface IP of the standby device was 4.1.1-P2
changed, the old IP will became inaccessible for the downstream ses-
sions, even if the old IP address was owned by the real server.
377902 GiFW Critical When packets matched an existing flow, CPU usage increased to the 4.1.1-P2
point that it caused performance degradation.
377431 SSLi Major When configuring SSLi with a single partition, the SSLi inside and out- 4.1.1-P2
side VIPs sent FIN/ACK packets that contained the wrong source MAC
address.
377426 IPV6 Tran- Major When configuring a server for external logging, the health status of a 4.1.1-P2
sition specific port could not be followed.
377065 GSLB Normal When configuring GSLB, the “showtech” and “show running config” 2.7.2-P10
commands would sometimes hang due to an internal error with the
a10gmpd process.
376783 Web Cate- Critical The ACOS device experienced a slow memory leak associated with 4.1.1-P1
gory - URL web-category cloud lookups. In rare situations, if the cloud lookup failed
Filtering (due to a stale socket connection or other connectivity problems), the
ACOS device would retry the request by opening a new connection.
During this process, some memory was being overwritten without being
freed up, and 32 KB memory was getting leaked during every retry
attempt.
Workaround : Configure cloud-query-disable under web-category.

This will prevent cloud queries.
page 222
Feedback

A10
376384 VRRP-A Major If the VRID was a standalone device, or all its peer nodes were forced to 4.1.1-P2
“standby state”, then no node became active for this VRID if a standby
device was forced into active status. Using the aXAPI for this configura-
tion always failed to go into force-standby status, and a warning mes-
sage was produced. The “skip-check” option could help avoid this issue
by triggering the VRID to go into a standby state.
376366 SLB-HTTP Normal When the server sent a FIN packet to the ACOS device, ACOS used a 4.1.1-P2
RST instead of a FIN packet to close the client-side connection, and
sometimes this caused the browser to display nothing, even if it was
receiving data.
376180 Config- Normal When a block-merge command was issued and then another session 4.1.0-P8
Mgr attempted to edit the configuration by deleting a real server or a real
port, the ACOS device returned an HTTP 400 and HTTP 404 with the
message “Not Found : Object specified does not exist”.
375697 IPV6 Tran- Critical On FPGA platforms configured with http-alg, the ACOS device reloaded 4.1.2-P1
sition upon receiving fragmented HTTP requests.
375412 System - Normal The ICMP timestamp request and respond packets were not dropped 4.1.0-P9
manage- as expected.
ment
375343 Config- Normal When using the OVA file from the A10 Support Portal to launch a new 4.1.1-P1
Mgr vThunder instance, ACOS did not allow use of the GUI to edit an inter-
face.
This issue only occurred when the vThunder instance was deployed
using the OVA found on the Support Portal, and the issue did not occur
after upgrading the vThunder instance to the same release, but this time
using an upgrade image (with the UPG extension).
The GUI requires platform information that is included in the JSON

schema, so it is necessary to run /a10/bin/a10jsongen in the ACOS
device to generate the necessary JSON schema files.
This “a10jsongen” was launched and running when the instance was
created using the UPG upgrade file, but the file was erroneously not
included in the installation OVA file.
375289 SSL Normal In end-to-end SSL offload, downloading a file over HTTPS failed when 4.1.0-P7-
the back-end server sent a “close notify signal” and the SSL card was in SP2
the middle of processing encryption or decryption operations.
Workaround: Configure the “close-notify” option in the client-ssl tem-

plate, so the connection is not closed after receiving the server's close
notify signal.
375073 L2/L3 Normal After reloading the ACOS device, a static ARP/ND6 entry was still cre- 4.1.1-P2
ated on a VE port, even when the port was in a DOWN state.
Workaround: Toggle the port status (enable-disable) to remove the

ARP entries from the table.
374863 SSLi Major ACOS as unable to bind “class-list type ac” file to “multi-class-list” option 4.1.1-P2
in the client-ssl template. The “write memory" command was required
before binding the class list to the template.
page 223
FeedbackF
Fee
e

A10
374671 Web - ADC Normal With approximately 100 or more VIPS configured, if the user accessed a 4.1.1-P1
CGN Chart hyperlink from the Statistics column using the GUI, the chart
graph would display intermittent zeros.
The affected Chart hyperlinks were accessible from the following GUI
pages:
• Dashboard>>ADC
• ADC>>SLB.
374500 Router/ Normal The ACOS device stopped sending OSPFv3 multicast packets when the 4.1.1-P1
OSPFv3 OSPF neighbor count reached 150 peers.
374389 aFleX Normal When using the aFleX command "HTTP::respond 400" while the ACOS 2.7.2-P5
device was in the middle of receiving a client POST request, this some-
times caused various HTTP parsing errors to occur, such as, "HTTP
header ... too long".
Workaround: Use "HTTP::collect" to collect the whole POST request

first, and then use the "HTTP::respond 400" command.
373617 GiFW Critical When using DCFW with VRRP-A, a session mismatch occurred between 4.1.1-P1
the active and standby units if the ACOS device was running LSN and
DCFW traffic together and if the “tcp half-open-idle-timeout” option was
configured. In such cases, the sessions were not deleted on the standby
device.
373165 Firewall Major When sending TFTP traffic to SLB, the control session went through but 4.1.1-P2
the data session was denied, even though there was a session match.
369229 Config- Normal Block-merge hit an error while trying to replace the source-NAT pool 4.1.0-P8
Mgr while connection reuse was enabled.
368446 Explicit Major A forward-to-proxy policy error was occurring in which, for client 4.1.1-P1
Proxy requests received in a specific order, the subsequent request was not
forwarded correctly. The forward-to-proxy policy was resetting connec-
tion parameters, such as which “forward-to-service-group”.
368203 SLB-HTTP Normal With “100-cont-wait-for-req-complete” configured in the HTTP template, 4.1.0-P8
the ACOS device sent a RST to the client or server if it received a 401
response error message without the content-length header.
367342 L2/L3 Normal When migrating an L3V interface configuration from a 2.7.2 ACOS to a 4.1.0-P8
4.1.X ACOS system the migration process failed due to the existence of
certain interface configurations that were present inside an L3V inter-
face such as MTU, name, flow-control, speed, duplexity, LLDP, monitor,
and load-interval.
367006 System - Normal The ACOS device SSH config file only supported hmac-sha1 and hmac- 4.1.1-P2
platform sha1-96. To enhance SSH security, support for two MAC algorithms
(hmac-sha2-512 and hmac-sha2-256) was added to the SSH client and
server configuration files, and hmac-sha1-96 will not be supported in
future releases.
366844 SSLi Major If an import of cert/key/crl/ca-cert failed, instead of returning an error to 4.1.1-P2
the CLI, it was being added to periodic import backend file, and ACOS
was trying to import periodically. This was not the expected behavior.
This behavior is expected only for failure cases of periodic-import con-
figuration and not for regular import configuration.
page 224
Feedback

A10
366823 SSLi Normal In SSLi configurations, the certificate cache count that appeared in the 4.1.1-P1
output of the CLI “show slb ssl-forward-proxy-stat” command mistak-
enly included those certificates in the outside partition, even there were
no certificates cached in that partition.
365965 SLB-Con- Normal In GSLB configurations, the ACOS device was unable to create CNAME 4.1.1-P1
fig records with underscore “_” and would produce error messages.
365794 SSLi Normal Non-TCP/UDP traffic sometimes bypassed the security/FW device and 4.1.1-P2
was forwarded to the internet. The “redirect-fwd” or “redirect-rev” com-
mand options were not effective when configured under “port 0 others”
virtual port, so traffic was sometimes not redirected to the security/FW
device.
364738 TCP/IP Major In a VRRP-A configuration, when failover occurred from the active 4.1.0-P9
device to the standby device, the active Layer 7 sessions continued
from the new-standby device.
364618 SLB-FTP Normal A 4K memory leak occurred with ftp-proxy virtual port configurations. 2.7.2-P10
The 4K memory block was continually increasing if the request was
split across multiple packets.
364598 IPV6 Tran- Critical In 4.1.1-P3, it is compatible to synchronize sessions from a device run- 4.1.1-P1
sition ning an older release, such as 2.7.x, 2.8.x, 4.1.0-PX, 4.1.100 and older.
However, ACOS 4.1.1-P3 does not support the ability to synchronize
sessions from releases 4.1.1 to 4.1.1-P1.
(See Upgrade Recommendations and Notes for details.)

363100 SLB-L4 Major In an SSLi single-partition setup, if interfaces with redirect-fwd and redi- 4.1.1-P1
rect-rev were tagged, then SSLi did not work.
361897 VRRP-A Major The standby device in a VRRP-A pair was erroneously sending FIN/RST 4.1.1-P3
packets. This could happen with older active Layer 7 sessions that had
aged-out.
361699 Health- Enhanc A config-management limitation caused regular expressions containing 4.1.1-P1
Monitor- ement a '?' character to not work. This limitation impacted health monitor con-
Infra figurations.
361594 SLB-NAT Normal An issue caused the ACOS device to avoid using the IP NAT Gateway 4.1.1-P1
and it was instead sending packets out using the static route. If the out-
side interface matched the IP NAT subnet range, then the ACOS device
must be using the IP NAT gateway as the next-hop, but this was not
happening.
360181 System - Critical The ACL on the ACOS device was not dynamically updating service ipt- 4.1.1-P1
manageable entries. For example, when the ACL was used to provide manage-
ment ment services, the iptable entries must be automatically updated, but
this was not happening. Workaround: Remove the management port
and then re-attach it under the service.
360022 SLB-SMTP Normal A slow memory leak occurred when IMAP traffic was sent over an 4.1.0-P7
invalid request line.
page 225
FeedbackF
Fee
e

A10
359716 SLB-L4 Normal When all real servers were down, using the “reset-unknown-conn” com- 2.7.1-
mand sent a RST packet in reply to the client's SYN packet. The “reset- GR1-P2
unknown-conn” option only works if there are no active sessions and if
the VIP receives any TCP packet that has ACK, PSH, PSH-ACK, FIN, FIN-
ACK, or URG flag.
359563 System - Normal ACOS version 4.1.1-P3 or later can use a maximum of 2 TB of hard drive 4.1.1-P1
platform size. For previous versions of ACOS, if you use a hard drive size greater
than 2 TB, the usage is much less than 2 TB.
358915 VRRP-A Normal In a VRRP-A pair, the 'set-id' option could not be synchronized with the 4.1.1-P1
destination ACOS device using the 'config sync' command. This issue
occurred if the set-id option was different on the active and standby
devices in the pair, and if the 'config sync' command was used.
358117 GSLB Normal GSLB persistent sessions could not be synchronized among controller 2.7.2-P10
group members if there was a mismatch in the controllers' partition IDs.
358036 SLB-Con- Major When binding a policy to multiple virtual ports, the ACOS device did not 4.1.1-P2
fig migrate all of the configuration after upgrading the device, so the PBSLB
configuration was missing.
347248 L3V Major Deleting an L3V partition affected the trunk ports on the ACOS device. 4.1.1-P3
This issue occurred under the following conditions:
1) Create multiple L3V partitions.
2) For each partition, create one or more interface VLANs.
3) Tag all of the VLANs on each partition to bind them to the trunk inter-
face.
4) Delete one of the network partitions.
While this issue did not impact traffic, the output from the "show varlog"
command shows that deleting the L3V partition impacted the trunk
ports, resulting in unexpected log messages, such as the following:
Oct 7 22:40:15 AX2600 a10dcs: begin handling __dcs_vn-

p_part_own_routing
Oct 7 22:40:15 AX2600 a10dcs: end handling __dcs_vn-

p_part_own_routing
344977 SLB-HTTP Normal Various Source NAT issues occurred with VRRP-A and url-switching 2.7.2-P8
configured. This issue occurred when configuring a VIP with VRRP-A
enabled, and an HTTP template with “url-switching”,
“no def-selection-if-pref-failed”, and “no default service group”. With this
configuration, when url-switching was hit, the connection was reset, and
when the url-switching was not hit, the ACOS device responded with a
504 error message.
344872 SSL Enhanc There was no log message generated when the remote files system for 4.1.1
ement Thales HSM was down.
332122 SLB-Conn- Critical Removing the connection re-use template from the SIP-TCP virtual port 2.7.1-
reuse with running traffic caused the ACOS device to reload. GR1-P2
page 226
Feedback

A10
331900 SLB-DNS Enhanc Ported feature to honor the DNS server response TTL. 4.1.1
ement
329632 NAT-CGN Normal For a CGN device with VRRP-A configured, a full-cone session entry for 4.1.2-P1
an FTP data session (in FTP “active mode”) was erroneously created on
the standby ACOS device, instead of being created on the active ACOS
device. Then, the full-cone session on the standby device timed-out
shortly thereafter.
317689 NAT-CGN Major The client-to-server connection did not work if configuring “max-users- 4.1.1-P3
per-ip 1” in the NAT pool, but it worked if configuring “max-users-per-ip
2” in the NAT pool.

The issues fixed in 4.1.1-P2 are listed in the Table 19. The issues are listed by A10 tracking ID, beginning
TABLE 19 Fixes in Release 4.1.1-P2

A10
372721 AAM Critical A memory leak occurred during Kerberos relay when multiple requests 4.1.1-P1
were sent on a single connection. This issue could occur if the connec-
tion contained many request or if the connection requests were created
or cleared frequently.
372484 TCP/IP Normal When the client sent an ICMPv6 “too big message”, ACOS failed to 4.1.1-P1
update the TCP MSS value.
372271 SSLi Major The ACOS device was waiting for the CRL response, but the certificate 4.1.1-P1
was not ready. Therefore, the connection was automatically bypassed.
To avoid this outcome and ensure that packets are dropped, you must
configure the option "forward-proxy-cert-not-ready-action reset".
371944 AAM - Ker- Normal The ACOS device sometimes reloaded when using the CLI show aam 4.1.1-P1
beros authentication klist command to display information about cached Ker-
beros tickets.
371854 SSLi Major Several weak ciphers are no longer enabled by default, while newer/ 4.1.1-P2
stronger ciphers have replaced them as defaults. See Default Behavior
Changes Introduced in ACOS 4.1.1-P2 for more information.
371003 System - Critical vThunder for KVM instances may reload when running Ubuntu version 4.1.1-P2
manage- 12 (or earlier). A10 Networks recommends running Ubuntu 16.04 or lat-
ment est for vThunder for KVM deployments.
370840 Web - ADC Normal Historical stat data was not deleted from the disk when SLB objects 4.1.0-P8
CGN were removed from the configuration, and over time, this condition
could lead to high disk usage.
page 227
FeedbackF
Fee
e

A10
370795 SSL Critical The ACOS device was unresponsive while configuring multiple SNI 4.1.1-P2
objects under the client-ssl template. The system memory became low
and reached 95% CPU utilization. This could happen if there were
80,000 contexts (for example, while configuring 8000 server-name con-
figurations under the client-template, with that template then bound to
10 or more virtual-ports).
370300 SLB - Normal The ACOS device removed HTTP cookies if cookie persistence was 4.1.0-P4
HTTP enabled and the client sent cookies that was not inserted by the Thun-
der device.
370279 Web - ADC Normal When changing management services on a vBlade using the GUI, if you 4.1.0-P7-
CGN have an ACL on any of your ethernet ports for a certain service then this SP2
ACL will be applied to any other port with the same service enabled that
does not have an ACL (state “on”).
370276 Explicit Critical An issue occurred where overlapping subnets were not functioning as 4.1.1-P1
Proxy expected in class-lists for the destination IP in a Policy Template.
369034 SNMP Critical When sending 10,000 ICMP requests to the configured SNMP trap 4.0.3-P2
threshold, suppression logs appeared, but the SNMPv1 trap messages
were not sent out by the ACOS device.
368548 SLB - DNS Normal The ACOS device was incorrectly routing the dns-response packets with 4.1.1-P1
fragment, instead of hitting the session. This occurred because the
reassembled fragments did not match the DNS session. This was due
to an incomplete match for the query id switch configuration.
368528 SSL Normal An SNI issue occurred when the certificate could not be created for the 4.1.0-P5
session, causing the ACOS device to reload.
367960 Firewall Critical The ACOS device reloaded when running firewall traffic with local-type 4.1.1-P2
dest zone defined under the rule-set.
367851 Web - ADC Normal The symbol for CR (carriage return) and LF (line feed) could not be 4.1.0-P8
CGN edited, so the solution was to allow CR and LF as a normal string.
367006 System - Normal The ACOS device SSH config file only supported hmac-sha1 and hmac- 4.1.1-P2
platform sha1-96. To enhance SSH security, support for two MAC algorithms
(hmac-sha2-512 and hmac-sha2-256) was added to the SSH client and
server configuration files, and hmac-sha1-96 will not be supported in
future releases.
367003 Web - ADC Critical The ACOS device failed to generate show techsupport output via the 4.1.1-P1
CGN GUI if the device had reached its maximum supported number of parti-
tions.
366328 VRRP-A Critical From the GUI, VRRP-A status is not being displayed for private parti- 4.1.0-P7
tions.
366085 SLB - L4 Normal If the hash-table size was not an exact multiple of JIFFIES PER MINUTE, 4.1.1-P2
then the aging loop completed faster than expected.
365989 SLB-NAT Normal The ACL check was being done after the session had already was set 4.1.1-P1
up. However, since the session was already set up, the ACL that was
bound to the server interface must not impact upon receiving a
response.
365731 SSLi Normal The chain-cert command in the client-ssl template did not work with 4.1.0-P7-
SSLi on SWSSL platforms. SP2
365620 SSLi Enhanc ECDSA certificate client authentication was not working on hardware 4.1.1-P2
ement SSL.
Fix: Adding support for ECDSA client-authentication in HW-SSL setup.
page 228
Feedback

A10
365460 Firewall Normal Configuration of a local-type dest zone resulted in high data cpu usage. 4.1.1-P2
363652 aFleX Normal The process “a10lb” reloaded multiple times if using aFleX to edit “per- 2.7.1-
sist size uie” to limit connections based on uie session count. GR1-P1
365129 ACL Critical The ACOS device could not remove all object groups in a long run. 4.1.1-P2
365065 System - Normal vThunder running on KVM platform required two serial ports: ttyS0 and 4.1.1-P2
platform ttyS1, but only one was included on the default virtual machine. Hence
the "agetty" process kept re-spawning and this caused disk usage to
build up.
365023 SLB - L4 Critical The output from the show slb service-group CLI command was errone- 4.1.1-P2
ously displaying VIPS under every service-group member and also indi-
cated that the health check status was removed for individual servers.
364765 SSLi Major The ciphers "TLS1_ECDHE_RSA_AES_256_SHA384 and TLS1_ECDHE_- 4.1.1-P2
ECDSA_AES_256_SHA384" are only supported on Software SSL, and
cannot be configured using hardware-based SSL (i.e., third generation
SSL card).
364753 ConfigMgr Critical The start-up profile was sometimes erroneously cleared if the write 4.1.0-P5
memory operation failed during one step. ACOS did not create a backup
before writing to the start-up profile directly.
364720 Web - ADC Normal When uploading the SHA2 Certificate to replace the default one pro- 2.7.1-
CGN vided in the ACOS GUI, an error message was seen: “Cannot load GR1-P2
unmatched web server certificate or key. Only key size less than or
equal 2048 PEM format certificate and not including special characters
in name is supported.”
Support for SHA2 Certificate on FIPS platform Control Plane is added.
364378 ConfigMgr Normal When using BGP peer-groups, if a neighbor is shut down and then sub- 4.1.0-P9
sequently removed, the configuration cannot be deleted.
364153 SLB - L4 Critical This new feature under DSR health-check allowed the ACOS device to 4.1.1-P2
send health-checks to multiple virtual servers (VIPs) that are bound to
same service-group. In prior releases, the DSR health-checks were sent
to only one VIP. The new CLI option health-check-to-all-vip is added
under SLB common, and this must be configured along with dsr-health-
check enable.
364096 GSLB Normal A GSLB-related configuration loss occurred for certain group members 2.7.2-P9
after the ‘a10lb’ process reloaded. The configuration loss did not occur
if it was in “member status” before the reload.
The workaround is to save the gslb group related configuration for the
members so if the ‘a10lb’ process reloads, the members can retrieve
their configurations from the master when the connection is re-estab-
lished.
page 229
FeedbackF
Fee
e

A10
363956 Explicit Critical The ACOS device reloaded if the following conditions were met when 4.1.1-P2
Proxy the “import class-list overwrite” was invoked:
1) the template policy had multiple source rules, AND
2) each source rule had at least one dest. ac/ipv4/ipv6 class-list rule,
AND
3) any of the entries in the destination class-list were duplicated.
The reload could occur even if multiple source rules had different desti-
nation class-lists, but a class-list which had a duplicated entry in the
existing class-list was imported.
363205 aFleX Critical Occasionally, a local variable defined under an aFleX script was modi- 4.1.1-P2
fied or used by a different session.
363201 VRRP-A Critical If the disable-default-vrid option was configured in VRRP-A common 4.1.1-P2
and no VRID was attached with a resource configuration, then the ACOS
device was erroneously considered to be the standby device for vrid 0.
363163 Health Normal When changing the health monitor method from TCP to HTTP, the 4.1.0-P8
Monitor proto_data of the Health Monitor instance of the old TCP method was
not freed, so it could not be used for the new HTTP method.
363076 VRRP-A Normal In VRRP-A configurations with 3 devices, changing one of the ACOS 4.1.100
devices to a higher priority did not lead to the expect change in the
active role of the devices.
362449 SNMP Major The GUI statistic for total throughput had no equivalent OID for use via 2.8.2-P6
aXAPI. The following object was added: axGlobalThroughputPerSecond
that adds throughput of all Ethernet interfaces.
362422 SLB-Policy Normal Importing a file using the Windows SFTP client was causing the file to 4.1.0-P7-
be created with 600 permissions. Both the GUI and the show bwlist SP2
<name> details CLI command were not able to display the content.
362215 Web - ADC Normal On Internet Explorer 11, with “Display intranet sites in Compatibility 4.1.0-P7
CGN View” on, the GUI would appear blank after logging in.
Workaround: Use Firefox or Chrome web browser, or de-select “Display

intranet sites in Compatibility View” in Internet Explorer 11 (IE11) before
using IE11.
362113 Firewall Major The CLI for configuring logging for the Firewall is changed with release 4.1.1-P2
4.1.1-P2. Please see the logging chapter in the Data Center and Gi/SGi
Firewall Configuration Guide for more details on how to configure it.
362107 System - Normal AZERTY Keyboard locale and some Numeric Fields in the GUI might not 4.1.1-P2
platform work as expected. With the AZERTY keyboard it may not be possible to
enter numeric values in some numeric fields.
362104 ACL Normal The ACL hit counts were not correctly displayed when configured on the 2.7.2-P9
management interface or under enable-management CLI.
361906 WAF Normal When WAF was configured on a virtual port, the responses were col- 4.1.1-P2
lected and parsed before being sent to the client, which resulted in the
content being repacked using chunked encoding. This occurred even if
the original server response was un-chunked. After this fix, the WAF will
parse the server data only if there is a specific configuration requiring it.
page 230
Feedback

A10
361861 ConfigMgr Normal Under certain conditions involving the commands show aam authenti- 4.1.1-P2
cation statistics ldap and show aam authentication statistics radius, a
memory leak occurred.
361732 AAM Normal The back-end server authentication failed, due to the auth-header was 4.1.1-P1
removed by AAM.
361606 Router Normal In configurations with BGP default route-map configured with the “as- 4.1.100
path prepend” option, upon a VRRP-A state change, the BGP update
advertisement was delayed by up to 30 seconds.
361285 SNMP Major The sysName was not returned. 4.1.1-P1
361279 VRRP-A Normal In a VRRP-A deployment, if one of the devices is running with a 411 4.1.1-P1
patch release and another device is running an older release (for exam-
ple, 2.7.x/2.8.x/4.1.0), unexpected things occurred on the standby
device, such as a reload or a failure to synchronize.
361210 SSLi Normal With the forward-proxy-cert-not-ready-action reset configured, the con- 4.1.0-P8
nection was not dropped, even though the certificate was not ready.
This caused the first connection to the server to be bypassed instead of
being dropped.
361009 NAT64 Normal In MAP-T, the TTL value was being incorrectly reset during the transla- 4.1.1-P1
tion from IPv4 to IPv6 and IPv6 to IPv4. Also, the TTL value was not
being decremented. When the TTL is 1, the ACOS device must decre-
ment the TTL value and send an ICMP/ICMPv6 error message. How-
ever, ACOS was instead forwarding the packet. Both the issues are
addressed in this release.
360784 aFleX Normal The ACOS device could reload while running live traffic if there was only 2.7.2-P8
one aFleX script and the script had only a switch statement.
360586 TCPIP Major The ACOS device could reload upon receiving an ICMP type 3 code 4 4.1.1-P1
message with MTU very small or zero.
360574 ConfigMgr Normal With VRRP-A configured, when the user synchronized the configuration 4.1.1-P1
through the GUI, web-category would become disabled.
360568 SLB - L4 Major The TTL value was not being decremented as expected, and this some- 4.1.0-P7-
times caused a continuous loop. This release supports TTL decrements SP2
for all incoming packets.
360274 SSLi Normal Proxy-chaining kept the client's request and then prepared the SSL cer- 4.1.1-P2
tificate for SSLi. However, if the certificate preparation failed, the kept
request was not handled correctly.
360157 SSLi Normal The first request sent to a server using SSLi could sometimes be 4.1.0-P8
bypassed instead of being dropped. This could happen even if the
option forward-proxy-cert-not-ready-action reset was configured, and
even if the real certificate had an OCSP URI. The ACOS device would
attempt to retrieve the OCSP information for the certificate, but this pro-
cess can take some time, so the ACOS device bypassed the request
while waiting for the OCSP response.
360016 SSL Normal Blocks from the 928-byte memory pool were sometimes leaked when 2.7.2-P9
the SSL card was at maximum capacity.
359965 SLB-NAT Normal When globally configuring snat-on-vip in the shared partition, SNAT 4.1.1-P1
occurred as expected with an access list match, but when globally con-
figuring snat-on-vip within an l3v partition, SNAT did not occur. The
snat-on-vip command did work in the l3v partition when configured
under the virtual-port.
page 231
FeedbackF
Fee
e

A10
359329 Router Normal The output of the show ip ospf command incorrectly indicated that 4.1.1
graceful restart was supported.
359200 SSLi Normal Certificates that must be trusted by the forward-proxy-trusted-ca were 4.1.0-P8
instead signed by the forward-proxy-alt-sign cert and key. This could
cause forged certificates to be signed by the alternate cert and key,
instead of being signed by the expected main cert and key. This issue
could happen if any cert in the chain was signed by a cert that was not
included in the forward-proxy-trusted-ca file, thus causing the verifica-
tion to fail.
359143 ACL Critical The management service ACL had to be removed and then re-added in 4.1.1-P1
order to apply the changes.
359122 System - Normal Multiple critical logs reporting voltage over monitor threshold limit were 4.1.1-P1
platform erroneously generated. The status in the output from the “show environ-
ment” command was also erroneously reported.
359050 System - Critical On a THI840, the environmental log information inaccurately reported 4.1.0-P1
platform system voltage threshold being over the limit, when the voltage was
within the limit.
359032 SLB-NAT Major There was no ‘ping’ response from an IP NAT pool address unless the 4.1.0-P7
CLI command ip nat icmp respond-to-ping was used. With this release,
the IP NAT pool (SLB NAT pool) address to respond to pings when it is
in use, irrespective of IP NAT inside/outside configuration.
358969 CGN-LOG- Normal The ACOS device reloaded when performing HTTP logging if the HTTP 2.8.2-P6
GING request HOST header was significantly larger than the max-url-len (for
example, twice the default of 100).
358567 SLB - L4 Major ACOS did not support stateless auto switch service group methods to 4.1.1-P2
be used with HA sync. However, prior releases allowed both features to
be configured together, even though this behavior was not supposed to
be supported.
358369 System - Critical In some cases, the COS value is incorrectly marked on outbound pack- 2.7.2-P10
manage- ets.
ment
358331 System - Critical The GUI was erroneously accepting a backslash "\" in the user names 4.1.0-P7
manage- when it must not be allowed to do so. This could cause problems with
ment such names in the CLI.
358305 System - Major With a basic CGN configuration, if the following actions occurred, an 4.1.1-P1
manage- HRX and QDR drop could occur:
ment
- Run UDP traffic at 300Mb/s on one device (TH5430)
OR
- Run UDP traffic at 1Gb/s on one device (TH6440)
Disable, then enable the management port.

358285 System - Enhanc The smtp mailfrom character limit of 32 was insufficient. 4.1.0-P7
manage- ement / The character limit is increased to 64.
ment Normal
page 232
Feedback

A10
357991 L2/L3 Normal If the user did the following: 4.1.0-P7
1) Configure a trunk group in two ethernet ports
2) Create bpdu-fwd-group <> and attempted to add those ports in group
Only the lead member of the trunk was allowed to be added.

Upon doing a write memory and reload, the trunk configuration from the
non-lead member was missing.
357938 VRRP Normal When configuring “vrrp-a preferred-session-sync-port trunk”, if the trunk 4.1.1-P2
ID is greater than 16, then the command will fail to execute.
357337 System - Critical A core-less reboot occurred on the ACOS device which was caused by a 2.7.2-P9
platform race condition in the kernel hash table.
356858 System - Critical NTPD only listened on the physical interfaces and not the VE interfaces. 4.1.0-P7
manage- Therefore, NTP could not sync with the NTP server using the VE inter-
ment face.
356838 NAT-CGN Normal The "allow-slb-cfg enable" feature did not work with lsn-rule-list. 4.1.1-P1
356830 System - Normal When the maximum number of admin sessions is reached, the session 4.1.1-P1
manage- ID restarts at 1 but then does not get incremented as additional ses-
ment sions are created.
356773 SSL Normal SSL renegotiation did not work with RC4 ciphers. ACOS could not open 4.1.0-P7-
a website going through SSLi. The issue happened on the external SSLi SP2
device, which had the connection between the ACOS device and real
server. The website was doing SSL renegotiation and was using RC4
ciphers. If RC4 ciphers were disabled in the server-SSL template, then
the website opened without issue.
356662 SNMP Major The displayed memory usage when generated by the CLI and the SNMP 4.1.0-P7
(axSysMemoryUsage) had extreme differences, when they must be
closer in parity.
356467 L2/L3 Normal If an ACOS device is in transparent mode and you attempt to modify the 4.1.0-P7
default gateway without removing the old gateway first, then the output
from the CLI command show ip route will display multiple gateway
routes. This could cause lack of synchronization between the front- and
back-end configurations, and any packets sent to the default route
could be lost.
356257 Health Critical LDAP Health Monitor was incorrectly reporting health check as DOWN 4.1.1
Monitor with a result code 0, when the result code 0 must only occur for health
monitor marked as UP.
355909 SSL Critical With session-cache enabled, the original connection continued to work 2.7.2-P9
but the re-use connection failed. The ACOS device completed the ses-
sion-reuse handshake and forwarded the data to the server, but the
server response was not forwarded back to client.
355612 IPV6 Tran- Normal MAP-T CE enforced dropping inbound packets to reserved destination 4.1.1-P1
sition ports. However, in MAP-T shared address configurations, it is now being
done in BR itself.
page 233
FeedbackF
Fee
e

A10
355609 aFleX Normal An aFleX script caused the ACOS device to reload, due to invalid usage 4.1.0-P7
of the following:
[CLASS::match [IP::client_addr] class value ip]
The “value” keyword was not a supported parameter, and use of this
triggered a NULL pointer de-referencing that caused the device to
reload.
355459 System - Normal The process for the Config manager becomes stuck and the CLI and 4.1.1-P1
platform GUI hang after running the show techsupport export command.
355288 SSLi Major The ACOS device sometimes reloaded if there was live traffic, and if a 4.1.0-P8
service-group was removed from an HTTP virtual port, which was
bound to a forward-policy template.
355192 TCPIP Normal If a client requested ECN in the TCP options, the TCP stack sometimes 2.7.2-P7
responded with “ECN capable” even though it was not ECN capable.
When the SYN packet was received with the ECN flag set, the SYN-ACK
response also had the ECN flag set, although ECN was not supported in
some cases.
354926 Explicit Critical Using a software solution for SSL with an explicit proxy policy, if the cli- 4.1.1-P1
Proxy ent-ssl template was configured to include a bypass and client access
to a website which was bypassed, the ACOS device would fail.
354830 Web - ADC Major Errors sometimes occurred when attempting to use the GUI to config- 4.1.1-P1
CGN ure object names containing special characters.
354788 AWS Major If the user updates the license on a vThunder for AWS device and later 4.1.1-P1
revokes it, the “factory-installed” default license will also be revoked.
This is because only one license file can be present on the system at a
given time.
354772 SLB-NAT Normal External Service Auto-NAT failed when a large number of ports were 2.7.2-P8
configured. With this fix, response packets for the data sent to an exter-
nal service group are returned to the same CPU as the client connec-
tion.
354676 aFleX Normal If using the aFleX command DNS::header to configure the ACOS device, 2.7.2-P9
the AD and CD fields could not be read or set. Attempting to change
either value was unsuccessful.
354442 SSLi Normal Cert-Fetch requests were terminated by a FIN packet in SSLi + Proxy 4.1.0-P8
environments, resulting in memory leak issues.
354247 SLB - L4 Normal Retransmitted SYN packets are being dropped if the half-open-idle-time- 2.7.2-P9
out is configured.
353587 SSLi Normal The server-side SSL renegotiation did not work on the outside ACOS 4.1.0-P6
SSLi device. The renegotiation-disable did not take effect as long as for-
ward-proxy-enable was configured.
352516 System - Normal This fix addresses issues with the buffer threshold in multiple CPU envi- 2.7.2-P7
platform ronments.
page 234
Feedback

A10
351968 DHCP Normal If an interface has DHCP enabled but the IP address is not yet obtained, 2.7.2-P7
a wildcard VIP configuration is rejected. Similarly, if a wildcard VIP is
already configured and DHCP is enabled under an interface where the IP
was not assigned, then the wildcard VIP configuration was lost after
saving and rebooting the device.
The workaround for this issue is as follows: after the device is rebooted,
remove the DHCP configuration, re-configure the wildcard VIP, and then
re-add the DHCP config on the interface.
351347 Web - ADC Normal Using the GUI, when selecting the period of time to display a VIP chart, if 4.1.1
CGN the period of time was longer than 3 days, the graph would only provide
the period of time up to the 3 days from the initial start time.
351211 VCS Normal The user was not allowed to rename the device name without doing a 2.7.2-P10
“no” operation on the device name.
351154 AAA Normal Increasing LDAP DN Field Length to 128 characters as per requirement 4.1.1-P1
349975 SSL Normal In previous releases, the ACOS device did not check the SignatureAlgo- 4.1.0-P8
rithm extension offered by the client and always signed the ServerKey-
Exchange message with SHA1. This caused connection errors if the
client did not support SHA1. In this latest release, support is added for
the SignatureAlgorithm extension.
349252 SLB - L4 Major The age of the TCP half open session refreshed to 60 when the CLI 2.7.2-P9
options half-open-idle-timeout and reset-unknown-conn were both con-
figured.
349078 SLB - DNS Normal With SNAT enabled, if two DNS queries were received on the same socket, 2.7.2-P8
both would be sent to the server, but only the first response would be sent
to the client.
Workaround:
Configure a udp-template with aging-short to change fast-path processing
to slow-path.
Recommended addition configuration:
slb template udp u1
aging short 6
348631 NAT-CGN Normal For certain ranges of NAT IPs, the NAT IP will not be configured to 4.1.0-P8
Linux. This sometimes caused issues when advertising the NAT IPs.
(The fixed-NAT pool was not added to Kernel lo1 if the first octet was
either the subnet ID or the broadcast IP integer.)
348014 Health Major The ACOS device generated “service-group down” logs even though one 4.1.1-P2
Monitor or more members of the service-group were UP.
347020 Chassis Major The show log command was displaying some incorrect output. 4.1.100
Platform
346027 System - Major This fix addresses an issue with high control CPU usage using a config- 2.8.2-P5
platform uration option for the switching ASIC.
341740 Web - ADC Normal Using Internet Explorer 11, if the user attempted to use the GUI to edit a 4.1.0-P5
CGN DCFW ruleset, the ruleset edit page would sometimes not appear.
340939 NAT-CGN Critical In some SLB SIP configurations with HA, the device was not working. 2.8.2-P4-
The workaround is to avoid using HA for SIP traffic. SP2
page 235
FeedbackF
Fee
e

A10
337997 SLB-NAT Normal The ACOS device incorrectly allowed users to configure an IP NAT 4.1.0-P8
range which included an IP that was already being used by a virtual
server. This caused the VIP configuration to be lost upon reload. The fix
prevents such misconfiguration.
336658 System - Normal TH6430 was updated for fan ID mapping to match with the installation 2.7.2-P8
platform guide.
336247 SLB - L4 Critical Non-session packets were being forwarded to the home CPU rather 2.7.1-
than honoring the CPU round robin. GR1-P2
335689 Network Enhanc The CLI command “ntp allow-data-ports” now works for virtual inter- 4.1.0-P4
manage- ement faces.
men
333271 Web - ADC Enhanc The Restore page, under System>>Maintenance>>Restore, now sup- 4.1.1
CGN ement ports a local option in addition to remote.
331060 AXDebug Normal The AXdebug command failed to capture packets from the backend 2.7.1-
server for sip-tcp virtual-port with connection reuse. GR1-P1
324745 SLB-Log- Normal In some rare case, the syslog thread of the process 'a10logd' could 3.1.4
ging hang, due to failed attempts to write to /dev/console. In such cases, the
remote syslog messages were not sent.
320722 System - Normal On 1GB SFP fiber ports, link monitoring action was unexpectedly trig- 4.1.0-P3
platform gered on an SLB monitor template after the system was reloaded or
rebooted.
316150 System - Normal The CLI command system template monitor <id> is made obsolete. 4.1.0-P1
platform This command is replaced by the new command system template-bind
monitor <id> which is available since the ACOS 4.1.0 release. This
release removes the older, obsolete command.
309199 Platform Enhanc This bug fix includes the following enhancements: 2.7.2-P5
ement
1. The default minimum temperature threshold for the systems is
changed from 25 degrees to 1 degree.
2. If the system temperature drops below the minimum threshold tem-

perature, a log will be generated that has the severity of INFORMATION,
instead of CRITICAL.
299044 Health Normal Configuring the min-active-member option in a service-group some- 2.7.2-P4
Monitor times caused the control CPU to reach high utilization levels.
291955 System - Normal Fixed CVE bug CVE-2015-5600. 2.7.0-P8
manage-
ment
284350 System - Major If a password was entered that used the maximum number of charac- 2.7.2-P7-
manage- ters, plus a few extra characters, ACOS accepted the password (even SP1
ment though it must not be accepted). However, ACOS only verified the valid
length and ignored the additional characters. ACOS now rejects the
password if the length exceeds the max character limit.
271282 HA Normal Under certain circumstances, the UDP sessions for SLB UDP virtual- 2.7.1-GR1
ports (other than port 53) with aging immediate template were not
being deleted on the standby unit after the active unit processed the
UDP response and deleted the session.
page 236
Feedback

A10
265075 FPGA Normal The FPGA buffer level dropped below a low threshold, so a health moni- 2.7.1-P6
tor was added to detect such events.
198437 Health Major Added tcl-8.6 to ACOS image to support running external tcl program. 4.1.0
Monitor


A10
353890 vThunder- Normal CVE-2016-8630 for vThunder on the KVM platform may have caused 4.1.1-P1
KVM the hypervisor to reload.
352976 IPSec VPN Critical If there was an incompletely configured “vpn ike-gateway”, the “clear 4.1.1-P1
vpn ike-sa” command caused “show vpn ike-sa” to pause.
352881 Explicit Critical With the explicit proxy configuration, if multiple Aho-Corasick class-lists 4.1.1-P1
proxy matched a string, then the priority value of the destination was not used.
351463 System - Normal CVE-2016-7042 for Linux Kernel 3.19 used in ACOS 4.x /proc/keys may 4.1.1-P1
Platform have led to stack memory corruption and kernel panic.
351260 Firewall Normal The firewall TCP window checks failed when the window scale was set 4.1.0-P8
to 0. The workaround for this issue is to disable TCP window checks on
the Thunder device, or configure the client and server to avoid using
TCP window scaling.
350810 Router Major If “router ospf” was configured with exactly the same network and the 4.1.1
same area ID or the same network with a different area ID, the dupli-
cates would be added and the network could not be removed individu-
ally without issuing the “no router ospf” command.
350272 SSL Major This release addresses CVE-2016-8610 SSL/TLS libraries: Malformed 4.1.1
plain-text ALERT packets could cause remote Denial of Service.
349684 System - Normal CVE-2016-7042 Dirty COW for Linux Kernel may be prone to a local priv- 4.1.1
Platform ilege-escalation vulnerability.
348658 SNMP Normal The statistics from the “snmpwalk” command were not showing prop- 4.1.0-P4
erly on all interfaces for hybrid platforms. Only the management inter-
face was showing the correct IF-MIB::ifInOctets and IF-MIB::ifOutOctets
responses.
347648 System - Critical Enabling system poll mode with the CLI command “system-poll-mode 4.1.1
Platform virtio enable” will reboot the ACOS device as expected. However, after
rebooting the device, the management interface IP is lost and the device
cannot get an IP anymore. This issue occurs with vThunder running on
OpenStack.
page 237
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1

A10
327403 aXAPIv3 Normal • The GUI did not show the certificate and key that were imported in the
4.1.0-P2
private partition.
• After changing the partition via /axapi/v3/active-partition/p2, batch-

get returned objects from the shared partition instead of a specified
partition for the following URIs.
/axapi/v3/file/aflex
/axapi/v3/file/ssl-cert/oper
/axapi/v3/file/ca-cert/oper
/axapi/v3/partition
If the API call was made directly, the response reflected the specified
partition.
296029 Platform Normal In the case of a single-side fiber cut, the “show interface brief” com- 4.0.1-
mand did not show the link as down. Now Remote Fault Detection for SP11
10G fiber is supported on TH3230, TH3430, and TH5330 platforms.

The issues fixed 4.1.1 are listed in the Table 21. The issues are listed by A10 tracking ID, beginning with
the highest issue ID (the most recently logged issue).
TABLE 21Fixes in Release 4.1.1

A10
349739 Firewall Major The zone information in DCFW configurations was lost if the ACOS 4.1.0-P7
device joined an aVCS chassis.
347269 SSL Normal CVE-2016-6304 for OpenSSL OCSP status request extension may be 4.1.0-P5
exploited only if OCSP stapling support was enabled. The workaround
was not to use OCSP stapling.
339449 GUI Major The GUI did not show the certificates in the exception list if an email 4.1.0-P4
address was not configured in the ExpirationCheck page at ADC >> SSL
Management >> Expiration Email.
336473 SLB - L4 Critical With "reset-rev down" configured, disabling then enabling a real server 4.1.1
or real port triggered the RST sent from the ACOS to the Client.
334568 System - Major The "privilege write " command was setting ReadWrite permissions for 4.1.1
mgmt a user and the "no privilege write" command was not resetting the per-
mission to Readonly.
page 238
Feedback
TABLE 21Fixes in Release 4.1.1

A10
333463 SLB - L4 Major Assigning a PBSLB template for lockout to a virtual port caused a per- 4.1.0-P5
manent lockout.
If a PBSLB template that included the lockup property was assigned to

a virtual port, the lockout functionality was instantiated that caused you
to be permanently locked out.
The workaround was to make sure that lockout was not configured for
any template that would be applied at the virtual port level.
333038 Explicit Major After applying a policy template under a virtual port and not applying a 4.1
Proxy service-group, the virtual-port status was down and could not handle
explicit proxy request
332615 System - Major If a class list was created from the CLI, then a class list file with the 4.1.1
mgmt same name was imported, the “show run class-list name” output was
different than the “show class-list name” output.
With the fix, they are no longer merged together. The workaround is to
delete the original first, instead of trying to overwrite it.
page 239
FeedbackF
Fee
e
page 240
Known Issues in ACOS 4.1.1
This chapter describes limitations in ACOS 4.x.
• Known Issues in 4.1.1-P13
• Known Issues in 4.1.1
Known Issues in 4.1.1-P13

There are no additional known issues in the ACOS Release version 4.1.1-P13.

There are no additional known issues in the ACOS Release version 4.1.1-P12.
Feedback page 241

FeedbackF
Fee
e

There are no additional known issues in ACOS Release 4.1.1-P11.


The following Table 22 lists the known issues in ACOS Release 4.1.1-P9.
TABLE 22Known issues in ACOS Release 4.1.1-P9.
A10
Tracking Version
ID System Area Severity Issue Description Reported
460837 System - Major The SSH access control does not take effect for vThun- 4.1.1-P9
platform der ports on Azure. In Azure Single Interface mode, only
1 interface acts as both the management and data inter-
face. ACOS allows traffic on port 22 before the "a10lb"
process comes up. This is expected behavior.
333961 L3V Enhance Some counters in the output of the "show resource- 4.1.1
ment accounting" command are incorrect. The default "current
value" of real servers, real ports, service groups, and
GSLB Geo-locations shows some value, but the current
value must be zero because there is no related
configuration. The "clear" command does not clear it.

page 242
Feedback
TABLE 23Known issues in ACOS Release 4.1.1-P8
A10
Tracking Version
ID System Area Severity Issue Description Reported
435640 System-Plat- Major When TH930 family(TH930/TH1030/TH3030) manage- 4.1.1-P6
form ment port was connected to Cisco C2950 fast ethernet
port, even when Thunder management port was dis-
abled, the Cisco C2950 port did not change from link-up
to link-down.
430636 GUI Major Thunder (TH1030) reboots after it was downloaded with 4.1.1.P5
a large size > 250M size ACOS debug through GUI. This
is a very low reproducible issue.
430462 System - Major TH3040 10G ports do not function correctly after reboot 4.1.1-P7
platform when connected to Brocade ICX7450 SFP+ 10G ports.
428875 L2/L3 Major When capturing packets with ACOS debug, a display 4.1.1.P5-
issue occurred, causing erroneous values to appear in SP2
the ACOS debug output for VLAN numbers. This issue
was seen for incoming IP packets with non-zero DSCP
values on tagged interfaces.
383891 Firewall Major VMaster blocks configuration of interface of vBlade if 4.1.1-P3f
"Local zone" in zone is existing it the axAPI Local zone
configuration


The following Table 24 lists the known issues in ACOS Release 4.1.1-P6

A10
375667 ConfigMgr Major When there was a long latency command running on the 4.1.0-P7
ACOS device such as import, export, copy, backup, or IPMI,
the command continued to run until it was finished.
Subsequent commands were not run until the long latency
command finished running. This behavior was
independent of running CLI or aXAPI commands.
page 243
FeedbackF
Fee
e

Table 25 lists the known issues in ACOS Release 4.1.1-P5

A10
401230 SLB-ICAP Major In ICAP deployments, the ACOS device may sometimes 4.1.0-P9-
reload when enabling the “icap reqmod” and sending the SP2
post file.
401023 Health- Major The health monitor for MySQL database leaves an errone- 2.7.2-P11
Monitor-L7 ous log message on the server when the TCP socket for
the health monitor is closed without a “QUIT” or “Exit” com-
mand.
400775 System - Critical RBA configuration does not work on “no logging no- 4.1.1-P3
manage- access log”.
ment
380923 SLB-HTTP Major The connection reservation counters are not properly 2.7.2-P10
updated when strict transaction switching is triggered.
This may cause the conn-limit feature to break.
374228 SSL Major In SSLi deployments, the “Current” counter may some- 4.1.1-P2
times show a negative value in the output of the “show slb
ssl-counter” command when handling SSL traffic.
359863 Health- Major The Database Health Monitor (Oracle) does not work in 4.1.1-P1
Monitor- any L3V partition, but the shared partition has no issues.
Infra
page 244
Feedback


A10
398215 System- Major Attempting to upgrade the ACOS software fails when 4.1.1-P4
platform using the CLI TFTP command.
In such cases, ACOS fails to connect to the TFTP server,

and the following error message is displayed:
“Sending to client. Windsock error 10014”
(See Upgrade Fails When Using TFTP for details.)

397706 System Major With the A10 TH5440 models, when using the copper SFP 4.1.1-P4
Platform on the Ethernet interface, in some rare cases, the remote
and local peers could not complete auto-negotiation, and
the ACOS device brought down the port.
Workaround: Disable and then re-enable the port.

396385 AWS Major When deploying vThunder in AWS and Azure deployments, 4.1.1-P4
the host ID is the same when creating the instance using
the clone AMI.
Clone AMI is the functionality of AWS or Azure, and ACOS

does not control it. Therefore, the host ID will be the same
when creating the instance using the clone AMI and per
licensed AWS and Azure images, where the UUID is not
unique. In this release, A10 Networks does not support
using these images for subscription pools.
396076 SSL Major ACOS Thunder device (with N5 x 2 core) was getting a 4.1.1-P3
hardware ring full counter that was incrementing
intermittently and unexpectedly. This could have caused
performance degradation if there were too many bad
requests.
394408 SLB-ICAP Major An issue may occur for ICAP response request lines that 4.1.0-P9
cross multiple packets, wherein the port number may be
added twice on the REQMOD packet.
394054 SLB-ICAP Major In ICAP deployments, if attempting to POST a large file, the 4.1.0-P9
connection may fail and you may get an error message
indicating that the "connection proxy queue depth exceeds
the limit (60001)".
This issue appears to be caused by the ACOS device run-

ning out of buffer space for larger packets, because the
device must first send all packets to the ICAP server
before it can send the file out to the internet.
393692 L2/L3 Major In aVCS deployments, the “untagged trunk" configuration 4.1.1-P4
my continue to be bound to a to VLAN even if you remove
the interface on the vBlade of the ACOS device.
page 245
FeedbackF
Fee
e

A10
393121 System - Major For vThunder using OvS-DPDK, this release only supports 4.1.1-P4
platform the ability to create or edit a vThunder instance via the CLI
on the host, and it is not supported to create or edit a
vThunder instance using the virtualization-manager GUI.
392740 System - Major Due to a missing initialization, the PSU status showed an 2.8.2-P8
platform Absent state in the "show environment" command output
on TH930/TH1030/TH3030 platforms.
392416 aFleX Enhance- ACOS does not provide full support for switching SSL tem- 4.1.1-P3
ment plates during aFleX CLIENTSSL_CLIENTHELLO events.
389455 System- Major When upgrading from 2.8.2-Px to 4.1.1-P2, the AX-5630 4.1.1-P2
platform remained in a LOADING state. This issue appears to be
caused by ACOS checking for a resource value before the
system resource numbers were created. The issue only
seems to happen upon the first-time booting, after upgrad-
ing from 2.8.2 to 4.1.1-P2.
Workaround: Reboot the device one more time.

389032 Router Major The "ha-standby-extracost" is not added while redistribut- 4.1.1-P2
ing IS-IS routes for IP-NAT.
387496 System - Major On vThunder systems running Azure and installed with a 4.1.1-P2
manage- single NIC, you cannot access the GUI and aXAPI on ports
ment 80 and 443. As a workaround, you can use other ports for
GUI and aXAPI access. For example, run the following
commands to access GUI and aXAPI on ports 8080 and
1112:
web-service port 8080
web-service secure-port 1112

383485 Hardware Major When running the CLI command "show int transceiver e" 4.1.0-P8
on an interface using a FINISAR 40-gig QSFP+, the output
for the Optical TX/RX power values displays "0". The
expected behavior is to show a value of "N/A". This is due
to the fact that the FINISAR QSFP+ does not support the
ability to display these values, per their own documenta-
tion.
382330 aXAPI v3 Major When using aXAPIv3 to send a "write memory request", 4.1.1-P2
the ACOS device returns an error message: "Communica-
tion error with LB process". This issue occurs under the
following conditions:
- if the destination is local
- if the profile is not '' or does not exist in the saved startup
profile
page 246
Feedback

A10
375667 ConfigMgr Major The CLI commands may hang if there are two simultane- 4.1.0-P7
ous CLI sessions and the first session is already executing
one of the long-latency commands, such as:
import/export/copy/backup
The second CLI session may hang if the user tries to run
one of the long-latency commands while the first session
is still working on the request.
364198 SLB-HTTP Major If the "keep-client-alive" option was configured, the ACOS 2.7.1-GR1
device did not remove session entries upon receiving a
RST/FIN packet from the client. This caused the connec-
tion with the client to remain open even after the FIN
packet.
359863 Health- Major The Database Health Monitor (Oracle) does not work in 4.1.1-P1
Monitor- any L3V partition, but the shared partition has no issues.
Infra
344836 System - Major When upgrading from 4.0.1 to 4.1.0-P5, the upper limit on 4.1.0-P5
platform the maximum number of supported object groups is
reduced from 256 to only 128 entries.
342955 System - Critical ACOS may allow multiple simultaneous upgrade requests 4.1.0-P5
platform from the API, CLI, and GUI.
339874 aFleX Major You may not be able to delete a service group if it was 4.1.1-P3
used in an aFleX script that was later deleted.
336658 System - Major An erroneous fan ID mapping was corrected in the ACOS 2.8.2-P8
platform software on Thunder 6430 models in order to align with
the information in the installation guide.
307219 Health- Major The ACOS device reloaded when the ACOS device ran a 2.7.2-P8
Monitor- health check to the Oracle Database.
Infra
287614 VCS Enhance- On aVCS deployments, the sequence number may 2.7.2-P6
ment become re-ordered and may no longer reflect what was
configured. This issue could happen if you insert a new
ACL entry with the sequence number located in the middle
of an existing ACL that is configured on the vMaster, and if
the vBlade is then reloaded or rebooted.
256261 L2/L3 Major When aVCS is enabled, the interface status in the CLI 4.0.1
shows "UP" while it shows "DOWN" in the GUI.
249916 L2/L3 Major Adding static IPv6 neighbor entries to Link local addresses 2.8.1-SP6
failed.
page 247
FeedbackF
Fee
e


A10
387496 vThunder Major On vThunder systems running Azure and installed with a 4.1.1-P3
single NIC, you cannot access the GUI and aXAPI on ports
80 and 443. As a workaround, you can use other ports for
GUI and aXAPI access. For example, run the following
commands to access GUI and aXAPI on ports 8080 and
1112:
web-service port 8080
web-service secure-port 1112
385783 Firewall Critical The first SIP data session is intermittently synced to the 4.1.1-P3
standby device.
385774 Firewall Critical In DCFW configurations with VRRP-A, clearing TFTP data 4.1.1-P3
sessions on the active ACOS device does not clear the
sessions on the standby device.
382330 aXAPIv3 Normal When using aXAPIv3 to send a “write memory request”, 4.1.1-P2
the ACOS device returns an error message: "Communica-
tion error with LB process".
This issue occurs under the following conditions:
- if the destination is local
- if the profile is not '' or does not exist in the saved startup
profile
380744 Web - ADC Major Chrome-supported ECDSA cipher suites do not match the 4.1.1-P3
CGN ECDSA cipher suites available on the FIPS device. If an
ECDSA web certificate or key is imported into a FIPS
device, the GUI will become inaccessible.
379409 SLB-NAT Major If the source NAT pool is not large enough to handle heavy 4.1.1-P3
traffic, the ACOS device may reset some of the connec-
tions. This, in turn, may cause ACOS to use the wrong
VRID MAC as the source-mac address in the RST packets.
378404 System - Major The configuration of monitor x (under interface) will be 4.1.1-P3
manage- lost after upgrading to 4.1.1-P3 from legacy 2.x build.
ment For example:
monitor both <--
monitor input <--
monitor output <--
page 248
Feedback

A10
376387 Config- Major For an ACOS device with VRRP-A configured, using the 4.1.1-P2
Mgr aXAPI method “cli.deploy” to force self-standby correctly
pushes the ACOS device into “Forced Standby Mode”.
However, the aXAPI generates an error message.
375533 AAA Critical Partition awareness of LDAP auth does not work by HTTP/ 4.1.1-P2
HTTPS/SSH login.
376387 Config- Major For an ACOS device with VRRP-A configured, using the 4.1.1-P2
Mgr aXAPI method “cli.deploy” to force self-standby correctly
pushes the ACOS device into “Forced Standby Mode”.
However, the aXAPI generates an error message.
375667 Config- Major The CLI commands may hang if there are two simultane- 4.1.0-P7
Mgr ous CLI sessions and the first session is already executing
one of the long-latency commands, such as:
import/export/copy/backup
The second CLI session may hang if you try to run one of
these long-latency commands while the first session is
still working on the request.
374518 aFleX Normal An HTTP response failure occurs if both response-con- 4.1.1-P1
tent-replace and aFleX HTTP::payload replace method
are simultaneously configured in an HTTP template.
370735 L2/L3 Critical Enabling or disabling a 100 Gbps port while traffic is flow- 2.8.2-P5
Broadcom ing at a decent rate causes all outbound traffic to be
dropped at the XAUI level. Once this issue is triggered, the
only way to recover the device is by reloading.
370657 Config- Normal In SSLi configurations with VRRP-A redundancy config- 4.1.1-P1
Mgr ured, the chain certificate may not get correctly synchro-
nized to the standby device when using Configure Sync.
365794 SSLi Normal Non-TCP/UDP traffic may bypass the security/FW device 4.1.1-P2
and get forwarded to the internet. The “redirect-fwd” or
“redirect-rev” command options are not effective when
configured under “port 0 others” virtual port, so traffic may
not be redirected to the security/FW device.
360788 Web - ADC Major The ACOS device does not support the ability to view, 4.1.0-P8
CGN delete, or export the Certificate Signing Request (CSR)
using the GUI. Therefore, it is recommended to use the CLI
to handle any of these operations involving the CSR.
page 249
FeedbackF
Fee
e

A10
356663/ SLB-Con- Critical VRRP Config Sync will fail if the second device has a VIP 4.1.0-P7
382397 fig (or ACL) of the same name but with a different IP.
Changing the IP address of an existing virtual-server is not

allowed. The virtual-server needs to be deleted first and
then added again with the new IP address.
In this case, since the peer already has a VIP with the
same name and a different IP address, a sync shows up
as a modification of the IP address for an existing virtual-
server and is rejected.
Workaround: Remove the virtual-server on the peer before

initiating the config sync.
333931 License Normal The License Manager API call does not correctly populate 4.1.0-P2
Manager some of the “show license-manager” fields.
For example, the “interval” and “instance-name” fields may

be missing values after posting the aXAPI.
However, the two fields may display the correct values

after using the write memory command and reloading the
ACOS device.


A10
373748 IPSec VPN Critical IPsec does not work if the ACOS device is reloaded or 4.1.1-P2
rebooted and if IPsec is running in stateless mode in an
L3V partition. However, it was seen that IPsec was OK if it
was running in the shared partition.
373531 SSL Major The third-generation SSL card SSL are not yet recognized 4.1.1-P2
on the Dashboard GUI page, and the SSL Acceleration field
will not show a checkmark for devices with this card.
372566 AAM Major For multi-factor authentication processing (such as: RSA, 4.1.1-P2
LinOTP, SMSPasscode), AAM does not support the attri-
bute “action-uri” in the form of the challenge-page in the
auth-portal.
page 250
Feedback

A10
372094 HVA Major On an HVA vThunder, if the working lead is changed for a 4.1.1-P2
static trunk interface, the ping will fail. The workaround:
1. Shut down the vThunder instances.
2. Ensure all ports in the trunk are UP.
3. Change the MAC address of the virtual file system (vfs)

used for the trunk to the same MAC addresses as the
vThunder instances.
4. Boot up the vThunder instances.

371761 System - Major When installing a vThunder for KVM instance and using 4.1.1-P2
platform the “import existing disk image” method, the process
“a10lb” may sometimes reload. This could happen if you
have not added any data interfaces, and the problem may
be more prevalent if the disk image used for importing
was created by an older version of the Ubuntu operating
system.
371680 System - Major vThunder for VMware does not support Jumbo Frames 4.1.1-P2
platform while in DPDK mode with VMXNET3 data interface type.
371369 System - Major When using the CLI command import-periodic to 4.1.1-P2
manage import a class list, the file is successfully imported, but you
cannot delete the file using the no class-list clist-
name command.
Workaround: Issue the no import-periodic class-

list clist-name, and then the no class-list clist-
name.
370997 SLB - L4 Major When creating a virtual-port with ‘0 others’, ACOS uses the 4.1.1-P2
TCP default template parameters. However, upon unbind-
ing the UDP port template from the virtual-port with ‘0 oth-
ers’, the ACOS device is falling back to the default UDP
template parameters, and this could cause inconsistent
behavior.
370912 System - Critical Reloading the vThunder for KVM instance may cause the 4.1.1-P2
platform instance to shut down when running KVM on Ubuntu
12.04 or earlier. Therefore, A10 Networks recommends
running Ubuntu 16.04 (or later) for vThunder for KVM
deployments.
370468 System - Major ACOS does not support the ability to configure different 4.1.1-P2
platform numbers of I/0 CPU cores in aVCS environments. You will
not be prevented from using the “system io max-cores”
command to set the max number of I/0 CPU cores in
aVCS environments. However, if the I/0 CPU cores are dif-
ferent, the data CPU may be different, and this could cause
problems for session synchronization. A10 Networks rec-
ommends that you configure the same number of I/0 CPU
cores in aVCS environments.
page 251
FeedbackF
Fee
e

A10
369716 AAM Major When configuring AAM on the ACOS device, modifying the 4.1.1-P2
“ca-cert” configuration in the client-ssl-template via the CLI
(to bind a non-existent OCSP server or service-group), may
cause an incomplete “ca-cert” to appear in the running-
config of the template.
369616 System - Major When an interface belongs solely to a network private 4.1.2
Platform
partition, irrespective of the configuration inside the
shared partition, if it is removed from the private parti-
tion using the no interface ethernet number CLI com-
mand, the interface will remain down.
Workaround: Re-configure the interface by using the

disable and enable CLI commands.
368086 System - Major ACOS does not support LACP on any virtual platforms, 4.1.1-P2
platform with the exception of the Thunder Hybrid Virtual Appliance
(HVA), which has host-side customization to support
LACP.
367691 aVCS Major The backup and restore functionality is not supported in 4.1.1-P2
aVCS configurations. If the backup configures aVCS after
restoring a device, some port mapping may experience
issues. This is because ACOS copies the target device's
management IP to all device settings, and this could cause
devices to lose their connection after reboot.
365947 GiFW Major When the active device in a VRRP-A configuration has 32 4.1.1-P2
million RADIUS table entries, the standby device takes a
long time (~9 hours) to finish adding table entries. During
this time, the control/data CPU shows 99% utilization after
the standby device has reloaded.
365896 System - Critical When using vThunder for KVM (OvS-DPDK) and Jumbo 4.1.1-P2
platform Frame Support, issues may occur. Jumbo Frames are
supported in OpenvSwitch 2.6.0, which works with DPDK
16.11. But Jumbo is not supported for OvS versions older
than 2.6.0.
For instructions on enabling Jumbo Frame support in OvS-

DPDK environments, see this document on Intel’s website:
https://software.intel.com/en-us/articles/jumbo-frames-
in-open-vswitch-with-dpdk
365528 System - Major When using vThunder for KVM (Virtio) and enabling “virtio- 4.1.1-P2
platform dpdk”, the system reserved more memory than was nec-
essary (approximately 10%) for faster packet processing.
365204 Backup/ Major During backup/restore, if there is a common prefix where 4.1.1-P2
restore one parameter (for example, "object) is a complete sub-
string of another parameter (for example, "object-group"),
the auto-completion of the command will result in the
"object" getting converted to "object-group". This is
because the field "object" does not exist due to the feature
being disabled. Therefore, A10 recommends that when
using backup/restore, the licensed capabilities of the
ACOS devices must be compatible with one another.
page 252
Feedback

A10
364865 System - Major When performing a backup/restore, after restoring the 4.1.1-P2
platform ACOS device, the startup-config may become out of sync
with the running-config and some commands will not be
supported on the target device. This could happen if the
backup SLB resource-usage exceeds that of the target.
Use the “write memory” command after rebooting the
device as this will cause the startup-config to mirror the
running-config.
363892 System - Critical You can install vThunder for KVM (with SR-IOV) on a hard- 4.1.1-P2
platform ware platform running Ubuntu Server 16.04 LTS Linux
server or CentOS/RedHat version 6, and KVM version 0.14
(qemu-kvm-0.14.0) or higher. A10 recommends Ubuntu
16.04 or later for KVM deployment.
363695 System - Major An immediate reboot is required after using a backup file 4.1.1-P2
platform to restore an ACOS device. After using a backup to restore
the device, no other operations are permitted until the box
is rebooted.
363571/ Web - Normal The GUI does not support new hairpin counters, such as 4.1.1-P2
363568 ADC/CGN the statistics for “system-status” and “full-cone-sessions”,
which would appear under the CLI equivalent command
show counter fw global.
361579 SSL Normal If the user upgraded from 2.7.2 to 4.1.1 with an SSL con- 4.1.1-P1
figuration that included unsupported characters, a parse
error message appeared that did not provide adequate
information to identify the problem.
358378 System - Critical IP packets over 1500 bytes that have the “fragment flag” 4.1.1-P2
platform enabled will get dropped. When configuring the MTU value
over 1500 bytes, packets larger than the configured value
will be dropped. For example, if you set the MTU for all
interfaces to 2000 bytes, then 'ping' packets larger than
2000 bytes will get dropped.
358208 System - Major Downgrading from a GLM license model to a non-GLM 4.1.1-P1
platform license model is not supported. Downgrading from 4.1.1
to other non-GLM supported version will result in license
loss. After downgrading, the older license can be reap-
plied.
page 253
FeedbackF
Fee
e

A10
354857 SLB-L4 Major When dns query-id-switch is configured, it needs to be 4.1.1
configured on all the VIPs or not configured on any of the
VIPs. Having it on some but not on others might cause
DNS traffic handling to be incorrect.
354068 Upgrade Major The following issues may exist when attempting to 4.1.1-P1
upgrade from 2.7.x, or 2.7.1-GR1, or 2.8.x to 4.1.1-P1 or
4.1.1-P2:
• If the user upgrades to 4.x and then downgrades the

device back to 2.x, the startup-config profiles may no
longer be usable.
• When upgrading the system to 4.x, it is recommended

to avoid using startup-config profiles with similar
names, such as “<profile>” and “<profile>_40”.
The reason for this limitation is that ACOS will generate
a new profile called “_40” based on the name of the old
“<profile>”, so the startup-config profile could be unus-
able if the old profile name (“<profile>_40”) is overwritten
by the new file name during system migration.
• Before upgrading from ACOS 2.x to 4.x, it is strongly rec-

ommended to do a system backup. If a downgrade to
2.x is required, you can restore the device using the sys-
tem backup package to have the complete 2.x environ-
ment.
• ACOS supports conversion of the default startup-config

file by creating an old 2.x backup profile (“Default_prima-
ry_old” and/or “Default_secondary_old”). ACOS replaces
the original default files with the newer 4.x version pro-
files. For example:
• Before upgrading from 2.x to 4.x, if the user has both pri-
mary and secondary profiles with version 2.x, during
upgrade, ACOS creates two new profiles “Default_prima-
ry_old” and “Default_secondary_old” with the same con-
tents of the old 2.7 default profiles as a backup.
• During upgrade, ACOS replaces the original default pro-

files in the 4.x version.
• After upgrading, ACOS will continue to use the default-

startup profile, but the content was already converted to
the 4.x version. Therefore, the user could see the old ver-
sion of the profile as the name of “Default_primary_old”
and “Default_secondary_old”.
page 254
Feedback


A10
354047 vThunder - Major Jumbo frame support is enabled by default. 4.1.1-P1
AWS
353863 SNMP Major The “snmp-server trap-source” command is not supported 4.1.1-P1
under the loopback 0 interface or the management inter-
face. The trap source is designed for the interfaces other
than 0.
353843 Health Major A health-check configured via port template or server tem- 4.1.1-P1
Monitor plate under the service-group level may not work when
coupled with a direct heath-check configuration. The
guideline is to use a direct health-check configuration
under the service-group and a port template health-check
under each service-group member as needed. The work-
around is to not use health-checks configured under
server template and port template under the service-group
directly.
353572 Platform Normal For all platforms with 128GB memory, the resource-usage 4.1.1-P1
setting (“show system resource-usage,” “show slb
resource-usage,” etc.) is set the same as the platforms
with 24GB except GSLB-related settings.
353270 aVCS Major Certain device-specific configurations will be lost after the 4.1.1-P1
vBlade reloads in an aVCS environment with an ACL con-
figured under the “enable-management service ssh” com-
mand.
353078 vThunder- Major The i40e driver only works when DPDK is enabled on a 4.1.1-P1
KVM KVM vThunder.
353024 IPsec VPN Minor OCSP succeeds when the responder certificate (config- 4.1.1-P1
ured in the OCSP object) is invalid, if the correct responder
certificate is provided in the OCSP response.
352847 vThunder- Major When downgrading from 4.1.1 to 4.1.0 on the AWS plat- 4.1.1-P1
AWS form, the vThunder fails to load. In 4.1.1, support is avail-
able for 32 cores or multi-socket instances. Downgrading
to an instance with a greater number of CPUs or multi-
socket instances is not supported.
352733 vThunder - Enhance- On the AWS-HVM platform, the default username and 4.1.1-P1
AWS ment password are admin/a10, while AWS pvgrub had a differ-
ent password of admin/instance-id.
352568 SLB - Major The correct order of precedence between the DSCP con- 4.1.1-P1
HTTP figuration is given below:
1. Virtual port template DSCP.
2. Real port template at service group level.
3. Real port template at real port level.
page 255
FeedbackF
Fee
e

A10
352261 SSLi Major If forward-proxy-bypass client-auth is configured in 4.1.1-P1
the client SSL template for server “s1” (for example), the
server “s1” is not configured to request a client certificate.
Thus, any request to “s1” was correctly proxied. If the cert
cache is not cleared and the server configuration is
changed to request client cert and to send the request
again, the inside device decrypts the session and the
server SSL handshake fails when the backend server
sends the client cert request.
352249 System - Major While upgrading from 2.7.2-Px, parse errors are displayed 4.1.1-P1
Platform in the log regarding “system resource-usage cache-tem-
plate-count” and “system resource-usage aflex-table-
entry-count.” Release 4.1.1 changed the allowable limit for
aFleX configurations at the system level, and support was
removed for cache template count at the system level.
351789 SLB - L4 Critical Enabling the hardware syn-cookie intermittently disables 4.1.1-P1
server load balancing whether “no-dest-nat” (DSR mode) is
configured under any virtual port under a virtual server
(expected behavior) or not (unexpected behavior).
351488 IPsec VPN Critical On Thunder Series models that have second-generation 4.1.1-P1
SSL cards, when all cores were assigned to IPsec, the SSL
functions do not work. All related SSL configurations are
lost if the device reloads or is rebooted.
page 256
Feedback

A10
351373 L2/L3 Critical The VIP did not respond to ping requests after reconfigur- 4.1.1-P1
ing the trunk under the VLAN.
Steps to see the issue:
1) Configure VRRP-A.
2) Configure tagged/untagged Ethernet/Trunk ports under

a VLAN (could be in both L3v and shared partition). Create
a VE and assign an IP address to it.
3) Configure a virtual server with an IP address in the

same subnet of the VE and write memory. Send traffic to
the VE’s IP address and virtual server IP from a peer end
(both works).
4) Remove the tagged/untagged Ethernet/Trunk port from

the VLAN.
5) Reload or reboot the ACOS device. Configure back the

same tagged/untagged Ethernet/Trunk ports to the VLAN.
6) Send traffic to the VE’s IP address (works) and virtual

server IP from the peer end (does not work).
Workaround can be any of the following:
1) Remove VLAN and add it back.
2) Remove the router-interface VE, add it back, and add its

IP address.
3) Add the tagged/untagged Ethernet/Trunk, write mem-

ory, and reload/reboot.
4) Use the vrrp-a force-self-standby enable and

vrrp-a force-self-standby disable commands.
350425 Router Major The “router ospf” command would accept area IDs in the 4.1.1
format of a decimal or the format of an IP address, but not
both. The first format entered would become the only for-
mat accepted.
349079 vThunder - Normal On the AWS-HVM platform, M4.16xlarge instances with 4.1.1
AWS Elastic Network Adapters are not supported.
348076 L2/L3 Major After configuring two Virtual Ethernet interfaces (one 4.1.1
tagged and the other untagged) and assigning their asso-
ciated IP addresses to a bridge-vlan-group, ARP requests
were sent on only one VLAN in the bridge-vlan-group and
also only one port in this VLAN.
page 257
FeedbackF
Fee
e
Known Issues in 4.1.1

The following Table 30 lists the known issues in ACOS Release 4.1.1.
TABLE 30Known issues in ACOS Release 4.1.1

A10
350756 AAA Major Authentication does not behave as expected when an LDAP 4.1.1
server is configured under both the shared partition and an
L3V partition. Two workarounds are:
• If an LDAP server is configured with a management inter-

face under the shared partition, include the command “ip
control-apps-use-mgmt-port’” under the management
interface.
• If an LDAP server is configured with a management inter-

face under the shared partition, do not configure an LDAP
server under an L3V partition if you want to access the
ACOS device with the “partition name/username” format.
350600 vThunder- Critical On OpenStack vThunders, DHCP only obtains the IP address 4.1.1
OpenStack but does not obtain the MTU setting. The workaround is to
change the MTU setting manually.
350120 vThunder- Major Depending on the platform, vThunders experience high 4.1.1
System latency when directly connected to a Linux server by a virtual
switch. Interrupt mode is expected to have higher latency,
but even the poll mode had slightly higher latency compared
to hardware platforms.
349949 System - Major On vThunder for VMware instances, the NIC naming is 4.1.1
Platform sorted based on the PCI physical slot number, which is dif-
ferent from the order a NIC was added on the host. If a NIC
is deleted, and it is not the last one in the “show interface
brief” list, then the NIC list changes so the MAC address and
associated interface are incorrect.
349195 L2/L3 Major For any static route added through the management inter- 4.1.1
face, the administrative distance is set to zero.
349112 GUI Enhance A template created from Security >> SSLi >> Template can- 4.1.1
ment not be bound in the GUI or the CLI.
348920 vThunder- Minor In the OpenStack architecture, only one IP address can be 4.1.1
OpenStack assigned to one port. In a VRRP-A scenario, floating IP
addresses need to be configured on both vThunders, so
VRRP-A is not supported on vThunder for OpenStack.
348323 GUI Minor With Internet Explorer 11.0.9600.17501IS, drop-down lists in 4.1.1
the GUI will sometimes appear off screen when selected.
Workaround: Use Internet Explorer 11.0.9600.17959,

11.0.9600.18097, or another web browser, such as Chrome
or Firefox.
page 258
Feedback

A10
348106 SLB Major When the max session count was allocated for the “fwcps- 4.1.1
limit-cfg” under “system resource-accounting template
<template_name>,” 1% of the session is allocated and dis-
tributed to data CPUs equally. This allocation is done
because the packet could land on any data CPU and the
packet must not drop if the buffer is not allocated. After the
first 1%, if any data CPU requires more buffer, it is allocated
from the assigned max session.
347803 L2/L3 Enhance The system template-bind command is missing in L3V 4.1.1
ment partitions.
347648 vThunder- Critical Enabling system poll mode with the CLI command system- 4.1.1
OpenStack poll-mode virtio enable will reboot the ACOS device as
expected. However, after rebooting the device, the manage-
ment interface IP is lost and the device cannot get an IP any-
more. This issue occurs with vThunder running on
OpenStack.
347645 IPsec VPN Critical Configuring vpn nat-traversal-flow-affinity may 4.1.1
cause IPsec UDP packets to not pass through a NAT device.
The vpn nat-traversal-flow-affinity command is for
enhancing the performance of an IPsec tunnel based on the
ACOS packet distribution method. When it is configured and
NAT-T is in use, the source port of the encapsulated UDP
IPsec packet based on the inner traffic is changed (for TCP/
UDP mainly). If a session-based NAT device is present in
between, the source port change may cause the IPsec UDP
packet to not pass through the NAT device.
Note: Do not configure vpn nat-traversal-flow-affinity.

347399 IPsec VPN Critical A limitation with NAT-T and "vpn jumbo-fragment" exists. 4.1.1
When NAT-T is enabled with "vpn jumbo-fragment" on one
VPN gateway, the peer VPN gateway must not configure
"vpn fragment-after-encap" otherwise the fragments gener-
ated by the peer gateway are not forwarded properly.
347350 GUI Critical The GUI does not display with Internet Explorer version 4.1.1
11.0.9600.18097.
Workaround: Use Internet Explorer 11.0.9600.18499 or later,

or another web browser, such as Chrome or Firefox.
346828 SNMP Critical SNMP walk does not consistently respond to OID 4.1.1
1.3.6.1.4.1.22610.2.4.1.3.7 in a shared partition, depending
on the type of platform, number of CPUs, configuration, and
number of partitions.
345899 System Major The SNMP server host configured with a hostname under 4.1.1
L3V partitions does not send out logging/traps.
344854 SSL Enhance There is no timeout parameter in the hsm template com- 4.1.1
ment mand because the timeout cannot be controlled by the
ACOS device.
344056 SSL Major When importing a Thales cert/key generated by another 4.1.1
device into the ACOS device, the import fails and you must
use the “reload” or “reboot” command.
page 259
FeedbackF
Fee
e

A10
344038 SSL Enhance There is no output alert message when adding or deleting 4.1.1
ment the Thales HSM device to inform that the changes take
effect after a service restart.
343114 VRRP-A Major Resource template configuration synchronization intermit- 4.1.1
tently fails in VRRP-A mode.
341333 NAT-CGN Major The show se command shows the Conn SMP Alloc traffic 4.1.1
type total as 5 after reloading with an empty config.
341116 vThunder- Normal System Poll Mode (i.e., DPDK) can only be enabled on 4.1.1
VMware vThunder for ESXi if the server is running VMware ESXi 5.0,
Update 1 or newer releases.
340778 SLB - L4 Critical The “pkt-rate-limit” feature is not supported with L7 HTTP 4.1.1
virtual ports. However, the rate-limit can still be used for the
SYN packets received on L7 virtual ports.
340510 vThunder- Normal Intermittent issues occur on vThunder for KVM instances 4.1.1
KVM running kernel 2.6. The supported platform is Ubuntu 12 and
Ubuntu 15 with kernel version 3.x or newer.
340028 GUI Major The GUI does not show aFleX script content properly when 4.1.1
an aFleX script with a space in the name is updated in the
CLI.
339751 Azure Critical The Internet-facing VIP is only supported on the default NIC 4.1.1
in classic deployments. There is only one VIP to the IP of the
default NIC.
339413 VRRP-A Major If there are multiple device-IDs in the same set-ID group, the 4.1.1
show vrrp-a all-partitions command only shows the
active-standby peer that has the “*” label in the output.
338972 GUI Major Disk usage is increasing with 8K SLB server-related configu- 4.1.1
ration. The workaround follows:
To reduce disk space consumption, disable some SLB

objects’ rrd statistics functions.
1. Usually, the server will use an SLB server template,

named as “default”. Change the SLB server
“default” template’s “Stats Data” to Disable.
2. Change this server’s “Stats Data” to Disable.
3. Change the time zone, which will cause all rrd filed
to be removed.
This server’s rrd file will not be created.
337643 SNMP Major SNMPv3 was not supported in L3v partitions. 4.1.1
337070 vThunder- Major vThunder does not support 16 CPUs with 4G memory on the 4.1.1
KVM KVM SR-IOV platform.
336116 aVCS Major The CLI command aflex-scripts does not work in an 4.1.1
aVCS environment. The aFleX script cannot be fully synced
from master to blade. The workaround is to use the aflex
create and aflex delete commands.
page 260
Feedback

A10
335947 SLB - Normal Unable to setup email logging with modules. The “logging 4.1.0-P4
Logging email filter” command returns an invalid command mes-
sage.
335789 SLB - Critical A bw-list policy is supported only at the system level or at 4.1.1
Policy the virtual port level. It is not supported at the virtual server
or service-group level. If configured as such, then it does not
take effect.
334754 vThunder- Minor On a vThunder for KVM (Virtio) instance with 5 CPUs, the 4.1.1
KVM (vir- show cpu command only shows 3 CPUs, which is due to the
tio) IO CPUs being hidden.
334229 SNMP Major Routing traps in L3V are not supported on a shared VLAN. 4.1.1
332330 SNMP Major An ACOS device using the shared VLAN feature of L3v parti- 4.1.1
tions cannot send SNMP traps from L3V partitions using the
data interface if the “ip mgmt-traffic all source-interface ve”
command is configured, where the VE interface belongs to
the shared VLAN.
331949 vThunder/ Enhance Uploading and submitting GLM-licenses through the GUI 4.1.1
BareMetal ment System >> Admin >> Licensing page is only supported on
vThunder and BareMetal.
331772 VRRP-A Major The "show config sync status" feature does not support data 4.1.1
files.
331175 IPsec VPN Critical Traffic cannot pass through the IPsec tunnel when the vpn 4.1.1
ike-gateway used an IPv4 address, but the vpn IPsec bind
tunnel is an IPv6 address and vpn stateful-mode is config-
ured.
330995 VRRP-A Major The show config sync status feature does not support 4.1.1
changing the system time.
330986 NAT-CGN Major ACOS hangs for approximately 2 hours when running a lw- 4.1.1
4o6 binding-table file with the maximum number of entries
(4194304).
330968 GUI Major Viewing config sync status is not available in the GUI. It is 4.1.1
only supported in the CLI with the “show config-sync” com-
mand.
330809 GUI Major From the ADC >> SLB >> Class Lists >> Import page, a file 4.1.1
with the extension “.tar.gz” cannot be exported and then
immediately re-imported. The GUI message show the import
as successful, but the file is not imported.
330047 GUI Major From the ADC >> aFleX page, a file with the extension 4.1.1
“.tar.gz” cannot be exported and then immediately re-
imported. The GUI message shows the import as success-
ful, but the file is not imported.
330017 IPsec VPN Critical IPv6 IPsec does not work in L3V partitions. 4.1.1
327013 Shared Major SSH from the ACOS device to a different device is not sup- 4.1.1
VLAN ported from the shared VLAN in a private partition on a
VRRP-A standby device unless it is used in the following
manner: “ip mgmt-traffic ssh source-interface source-ip
a.b.c.d,” where a.b.c.d is the shared VLAN interface.
324998 Explicit Major The client fails to retrieve the file transfer data when “tem- 4.1.1
Proxy plate client-ssl” is bound to the “port 21 ftp-proxy” virtual
port.
page 261
FeedbackF
Fee
e

A10
324149 Explicit Enhance Explicit Proxy with FTP-proxy does not support IPv6 to iPv4 4.1.1
Proxy ment and IPv4 to IPv6. The query type is chosen according to the
front-end connection's type, so the front-end and back-end
must be the same.
316252 System Critical 1 GB fiber SFP transceivers are not supported on the 10 GB 4.1.1
ports for the TH3040 model.
Note: If a 1G/10G Multi-rate transceiver is used in a 10Gb

port with a 1G link partner, it will act as a 1G port.
309923 VCS Major A vBlade’s interface, trunk, virtual ethernet, nor VLAN cannot 4.1.0
be configured using the GUI to a vBlade Device Context
under aVCS.
306910 L2/L3 Major If a 1 GB SFP transceiver is inserted into a 10 GB port while 4.1.0
the system is already up and running, the 1 GB SFP is not
recognized until the port is disabled, then enabled again.
In earlier releases, the 1 GB SFP was immediately recog-

nized without having to disable and enable the port. (Only
Non-FTA models have this limitation.)
293620 System Enhance Migration of Role Based Access related configuration is not 4.1.1
ment supported when upgrading from Legacy 2.7.2.x or 2.8.2.x
releases.
291367 vThunder Normal vThunder disk size does not change when expanded. 4.1.0
283405 System Normal Migration of Explicit Proxy related configuration is not sup- 4.1.0-P5
ported when upgrading from Legacy 2.7.2.x or 2.8.2.x
releases.
page 262
Limitations in ACOS 4.1.1
This chapter describes limitations in ACOS 4.x.
The following topics are covered:
• Software Limitations
• Hardware Limitations
• Documentation Limitations
Software Limitations
The following limitations are related to ACOS Release 4.x (specific release limitations are so noted in the
descriptions):
• Unable to Establish Copper Links UP If Configured 100/full or 10/full
• L3V Interface Disabled After Upgrading
• SSLi Single Partition with Explicit Proxy Source NAT
• External SSLi DATA CPUs running Higher
• SSL Forward Proxy Context not Updated
• Dynamic Port Intercept on IP-Less SSLi
• Server-SSL Template Binding
• SSL Fail Handshake Statistics Not Incremented
• Multiple Filters for CLI Output
• SLB and CGN Code Limitations
• Health Monitor for SLB with Hostname
• IPv6 NAT for FTP Proxy
• MMS Traffic for SLB
• Information for 1G SFP on 10G Ports Not Displayed
• SNMP Read for GSLB Groups Does Not Support Identical Host Names
Feedback page 263

FeedbackF
Fee
e
• Overlay Functionality Limitations
• NAT Pool Statistics Limitation
• VRRP-A Configuration Sync Limitation
• Firewall Forced Timeout Limitation
• aXAPI Functionality Limitations
• Form-based Relay Pages Limitations
• Known GUI Limitations
• DHE Support Limitations
• AAM Limitations
• 4.1.1-P2 AAM Limitations
• AAM aFleX Limitations
• aFleX Limitations
• IPsec VPN Restrictions and Limitations
• VPN Tunnel Cannot Be Up with SLB Virtual Server Enabled on Azure
• Incoming Axdebug/Debug Packets Are Not Captured on Azure
• Active FTP on vThunder for Azure With KDEMUX Drivers Does Not Work
• Passive FTP on vThunder for AWS and Azure Does Not Work
• VRRP-A and VCS on vThunder for AWS and Azure Does Not Work
• vThunder Cannot Ping Standby Interface in VPPR-A Deployments with L3 Inline Mode
Unable to Establish Copper Links UP If Configured 100/full or 10/full

The TH3030S is unable to establish copper links UP with some other vendor switches, if configured
100/full or 10/full. The system is working fine with auto/auto.
(A10 Tracking ID: 452920).
L3V Interface Disabled After Upgrading

The status of the interfaces in L3V become disabled after upgrading from ACOS 2.7.2 to 4.1.4-Px. How-
ever, the status of the interfaces in the shared partition were maintained after upgrading.
page 264
Feedback
SSLi Single Partition with Explicit Proxy Source NAT

If SSLi is configured for use in a single partition, source NAT for explicit proxy is not supported. This is
illustrated here with the CLI command and highlighted parameter, configured as an action in a forward-
policy under an slb policy template:
forward-to-proxy service-group snat snat-pool
External SSLi DATA CPUs running Higher

When the connection per second rate in a SSLi deployment is approaching the capacity of the platform,
system displays up to 30% higher CPU utilization when compared to prior releases. This is due to
additional validation of certificates applied in the current release. Performance optimization is under
consideration and will be implemented in future releases.
(A10 Tracking ID: 437296
SSL Forward Proxy Context not Updated

SSL context was not updated when “forward-proxy-trusted-ca default_ca_bundle” was configured under
client SSL template.
This caused the request to erroneously pass to the internal server instead of providing a failed message
“Can't verify Cert-Rejected”
Dynamic Port Intercept on IP-Less SSLi

The back end traffic for Dynamic Port Intercept configuration on an IP-Less Layer-2 SSLi setup disre-
garded the redirect forward Ethernet ports. The traffic was observed, and transmitted at Layer 2
instead. This broke the SSLi proxy flow, and subsequently failed the traffic. The same configuration
functioned correctly on a single partition L2 SSLi setup with a virtual Ethernet interface IP.
page 265
FeedbackF
Fee
e
Server-SSL Template Binding

ACOS supports use of a server-SSL template with only one instance of a real port.
For example, if the same real server:port member is used in two service groups, it is valid to bind each of
those service groups to a different virtual port. However, if there are server-SSL templates configured
for both virtual ports, the server-side SSL behavior is not predictable and is not supported. It is recom-
mended to duplicate the real server port configuration with different real servers in each group.
In the following example, an ACOS system is configured with two virtual-servers, SSL_Internet_vip_001
and SSL_Internet_vip_003. And, each of these virtual servers are configured with an HTTP virtual port,
port 8080 http.
1. A different SSL-template and a different service group is applied to each virtual port.
• The SSL-template, SSL_Internet_vip_001_server_ssl, and the service group, sg2, are applied to
port 8080 http on SSL_Internet_vip_001.
slb virtual-server SSL_Internet_vip_001 0.0.0.0 acl 1

user-tag Security
port 8080 http
service-group sg2
template server-ssl SSL_Internet_vip_001_server_ssl
• The SSL-template, SSL_Internet_vip_003_server_ssl, and the service group, sg1, are applied to
port 8080 http on SSL_Internet_vip_003.
slb virtual-server SSL_Internet_vip_003 0.0.0.0 acl 3

user-tag Security
port 8080 http
service-group sg1
template server-ssl SSL_Internet_vip_003_server_ssl
2. The preceding configuration is supported when each service group specifies a different real server.
Service group sg1 specifies real server, rs1, and service group, sg2, specifies real server, rs2:
slb server rs1 192.168.1.10

port 80 tcp

port 80 tcp
page 266
Feedback

member rs1 80
template tcp1

priority-affinity
member rs2 80
3. However, the configuration in step 1 is not supported when both service groups specify the same
real server, rs1, as shown in the following:

port 80 tcp

member rs1 80
template tcp1

priority-affinity
member rs1 80
SSL Fail Handshake Statistics Not Incremented

In Release 4.1.1 P8, SSLi fail handshake statistics do not get incremented when client authentication
fails. The statistics are displayed in the show slb ssl stats command. The behavior on SSL hand-
shake failure updates counters If the traffic is bypassed, we do not increment the count.
Multiple Filters for CLI Output

In Release 4.1.1, multiple “|” characters can be used to filter CLI output; however, this option only works
with the show log command.
NOTE: Additional filtering options are available as described in “Searching and

Filtering CLI Output” in the Command Line Interface Reference.
SLB and CGN Code Limitations

In all 4.x releases, SLB and CGN must be enabled in separate partitions.
page 267
FeedbackF
Fee
e
Health Monitor for SLB with Hostname

There is currently no functionality to handle health monitoring for SLB servers with a hostname instead
of IP. Services are not listed in the output of 'show health monitor xxx' (protocol) command if the
health-monitor is bound to hostname SLB servers.
IPv6 NAT for FTP Proxy

ACOS does not support IPv6 NAT configuration for FTP proxy.
MMS Traffic for SLB

MMS traffic for virtual SLB server cannot pass through an ACOS device. The IP address in URL of RTSP
packet is not changed from SLB virtual IP to server IP when ACOS sends it to server.
The traffic can not pass through, we can see that the IP address in URL of RTSP packet is not changed
from slb vip(20.0.0.100) to server ip(20.0.0.10) when it is forwarded to ACOS server.
Information for 1G SFP on 10G Ports Not Displayed

The show interface media feature does not work correctly on ACOS. Information for 1G SFP connected
on 10G ports is not displayed under the show interface media command.
SNMP Read for GSLB Groups Does Not Support Identical Host
Names
In Release 4.1.0, SNMP OID functionality is enhanced to include GSLB group information. However,
members of the group must have unique host names. For example, consider this example output from
the show gslb group command:
ACOS# show gslb group

Group: default, Master: local
Member Sys-ID Pri Attrs Status Address
--------------------------------------------------------------------------------
local f6800a48 255 L* OK
vThunder c701a29 100 L Synced 192.168.102.206
vThunder e7cadf29 100 PL Synced 192.168.102.205
page 268
Feedback
In this example, the group contains two members, both named “vThunder” but with different IP
addresses (.206 and .205). Using SNMP read to view the GSLB group OID will yield results for a single
member, because the host names are identical (example is truncated for brevity):
root@ubuntu:~# snmpwalk -v 2c -c public 192.168.102.153

...
= STRING: "vThunder"
iso.3.6.1.4.1.22610.2.4.3.20.6.1.1.3.7.100.101.102.97.117.108.116.5.108.111.99.97.108
= STRING: "f6800a48"
iso.3.6.1.4.1.22610.2.4.3.20.6.1.1.3.7.100.101.102.97.117.108.116.8.118.84.104.117.110.100
.101.114
...
To work around this issue, you must manually change the host name for each member in the GSLB
group so that each host name is unique within the group.
Overlay Functionality Limitations

The following limitations are applicable for all 4.x releases:
• Overlay functionality on all platforms (FTA and non-FTA) does not support jumbo frames or frag-
mentation.
• Overlay functionality is only available with SLB configurations.
NAT Pool Statistics Limitation

The “NAT Pool Unusable” statistics in the show cgnv6 nat64 statistics and show cgnv6 ds-lite statis-
tics output does not get incremented as the NAT pool can be used by multiple technologies.
• This field works properly for LSN configurations, where there is outside-to-inside communication
(full-cone session).
VRRP-A Configuration Sync Limitation

In VRRP-A config sync environments, file type class lists that are configured from the CLI (and not
imported) must be saved with the write memory command in order for the class list configuration to be
synchronized to the vBlades.
page 269
FeedbackF
Fee
e
Firewall Forced Timeout Limitation

TCP session did not refresh when "force-delete-timeout" was configured with "alive-if-active" on a
firewall session-aging template and bound to active-rule-set. It was not possible to establish a TCP
session using SSH even after refresh.
Hence, to resolve this, the option "alive-if-active" for "force-delete-timeout" was removed from the
firewall session-aging option settings for TCP. This option is removed from CLI command "force-
delete-timeout" and AXAPI.
aXAPI Functionality Limitations

• The implementation of the aXAPI in the 4.x releases is not backwards compatible with any 2.7.x
or 2.8.x aXAPI implementations.
• The ACOS software does not provide support for the configuration of Health Monitors, VRRP-A, or
deletion of an interface that is part of a trunk using aXAPIs. Use the CLI for these operations.
• Issuing a block of configuration using the cli.deploy aXAPI method will cause the control CPU to
experience a spike to 100% while this operation is in progress. As soon as the configuration
change is applied, the Control CPU will revert to normal behavior.
Form-based Relay Pages Limitations

Currently, the following two scenarios are not supported by the back-end server:
1. Some form-based pages will require a user to provide a dynamic variable in response.
2. Some pages may not contain a “Content-Length” header or the “Content-Length” header may be too
short.
Known GUI Limitations

1. The following limitations are known in the GUI for release 4.1.1-P12:
• In GUI, it was noted that the forged certificates were showing all in hidden mode.
• Only the SSLi cached certificates were able to verify when the VIP, VPORT, Server IP, and Server
Port options were specified.
• To view the certificates information, hover over Security in the menu bar and select SSLi.
• The GUI page path is Security > SSLi > Reports > SSLi Certs > will only have option to check
SSLi cached certificates, when you specify the VIP, VPORT, Server IP, and Server Port and not all
the certificates.
page 270
Feedback
• This item will be moved to a more appropriate location in future releases.

2. The following limitations are known in the GUI for release 4.0.1:
• To view global session information, hover over CGN in the menu bar and select Session.
• This item will be moved to a more appropriate location in future releases.
• When switching aVCS device-context from the vMaster to a vBlade, configuration of the vBlade is
allowed as expected, but only statistical information from the vMaster is visible.
• Importing compressed files is not supported, except for SSL certificates.
DHE Support Limitations

• DHE ciphers might encounter crypto (hardware) failures for some SSL engines.
• SSLi Outside may encounter some crypto failures for some ciphers at load time.
AAM Limitations
ACOS 4.x does not support AAM configuration in any CGNv6 partitions.
4.1.1-P2 AAM Limitations

• For double authn cases, the two auth requests from the client must come from the same tcp con-
nection.
• The form on the challenge page for multi-factor authn server must not include an action uri.

So, for a challenge page like the one listed here:
<html>
<body>
<form name="chall" method="POST">
$replymsg$: <input type="text" name="chalv">
<input type="submit" value="Submit">
</form>
</body>
page 271
FeedbackF
Fee
e
</html>
In the form, AAM does not support the attribute "action", such as:
"action="form/handle.staff.php""
AAM aFleX Limitations

• When using a RADIUS server as the authorization server with SAML authentication and WS-Feder-
ation relay, AAM aFlex will not retrieve user passwords from HTTP requests. AAM aFlex authori-
zations against the RADIUS server will fail due to failing to provide user password for the RADIUS
server.
• With WS-Federation relay, the Active Directory Federation Services (ADFS) may return attribute
names in lower case or in upper case, while AAM aFlex AAM::attribute commands are case-sensi-
tive. Make sure AAM aFlex is configured with the correct attribute names for the values retrieved
from ADFS.
aFleX Limitations
• This limitation is applicable for all 4.x releases. Tcl allows backslash-newline in its scripts but
aFleX currently does not support it. For example, you can continue a long line in Tcl with a backs-
lash character (\):
set totalLength [expr [string length $one] + \

[string length $two]]
However, aFleX will experience a compilation error if you use backslash-newline. The recommenda-
tion is to write the long line without the backslash character:
set totalLength [expr [string length $one] + [string length $two]]
• The RESOLVE::lookup command does not support CLIENT_ACCEPTED and CLIENT_DATA events
if the virtual port is HTTP or HTTPS type.
page 272
Feedback
IPsec VPN Restrictions and Limitations

The following are of the limitations of the current release:
• To disable perfect forward secrecy (PFS), do not configure a Diffie Helman (DH) group in IPsec
configuration.
• IPsec packet round robin may cause packet reordering.
• Disable anti-reply if IPsec packet round robin is enabled.
• In a single tunnel without IPsec round robin may cause CPU load sharing to trigger, thus forcing
packet round robin. To avoid this, disable CPU load sharing.
• NAT-traversal flow affinity is A10 proprietary and may not inter-operate with other vendors.
• SNMP GET request of ifInOctets/ifOutOctets counters do not match the received/transmitted

bytes for the CLI equivalent of show interfaces tunnel <no> beyond a certain number of bytes.
• IPsec 66 configuration (vpn ike-gateway and vpn ipsec use IPv6 address) does not work in VPN
stateful or software mode or when configured under L3V partition. The IPsec 66 configuration
works on shared partition only if the L3V partition does not have any IPsec configuration and the
IPv6 traffic-selector is configured.
• IPsec 64 configuration (vpn ike-gateway uses IPv4 address and vpn ipsec uses IPv6 address)
does not work in VPN stateful or software mode. The IPsec64 configuration works only if the
IPv6 traffic-selector is configured.
VPN Tunnel Cannot Be Up with SLB Virtual Server Enabled on Azure

vThunder on Azure does not currently allow for VPN tunnels with a slb virtual server enabled.
Incoming Axdebug/Debug Packets Are Not Captured on Azure

vThunder on Azure does not allow for incoming axedebug/debug packets.
Active FTP on vThunder for Azure With KDEMUX Drivers Does Not
Work
Active FTP mode is not supported in Azure with kdemux drivers.
page 273
FeedbackF
Fee
e
Hardware Limitations
Passive FTP on vThunder for AWS and Azure Does Not Work
If you need to use FTP on vThunder for Azure or vThunder for AWS in pvgrub mode, use active FTP; pas-
sive FTP does not work reliably.
VRRP-A and VCS on vThunder for AWS and Azure Does Not Work
VRRP-A and aVCS commands are not available on vThunders instances running in Azure or AWS envi-
ronments.
vThunder Cannot Ping Standby Interface in VPPR-A Deployments

with L3 Inline Mode
If vThunder is deployed with VRRP-A l3-inline-mode, the IP of the local interface (ethernet, VE, and trunk)
for the backup ACOS device is unreachable using a standard ICMP ping.
Hardware Limitations
The following hardware limitations are applicable to all 4.x releases.
• Remote Fault Detection Limitation
• Combo Console/LOM Interface Requires Splitter Cable
• Auto-negotiation Supported on 1GB On-Board Copper Ports Only
• Transceivers Not Purchased From A10 Networks May Show Error Message
• Remote Fault Detection Fiber Limitation
Remote Fault Detection Limitation

Remote Fault Detection for 10G fiber is supported on TH3230, TH3430 and TH5330. 1G fiber is not sup-
ported for these platforms. This same limitation is also applicable to 1G fiber in Thunder FTA-based
platforms with L2/L3 ASIC.
Combo Console/LOM Interface Requires Splitter Cable

The following devices feature a dual IOIO (Console) and Lights Out Management (LOM) interface with a
splitter cable:
page 274
Feedback
Documentation Limitations
• Thunder 7440(S)
• Thunder 6440(S)
• Thunder 5840(S)
• Thunder 5440(S)
• Thunder 4440(S)
Plugging a cable directly into this interface does not work; you must use the splitter cable to have either
console or LOM functionality.
Auto-negotiation Supported on 1GB On-Board Copper Ports Only

Auto-negotiation is only supported on 1GB on-board copper ports. Configuring auto-negotiation on
10GB ports is not supported, even if the port speed is changed to 1G. Other systems connecting to the
10G ports must have auto-negotiate disabled.
Additionally, auto-negotiation is disabled by default when fiber media is used on a 10G interface.
Transceivers Not Purchased From A10 Networks May Show Error

Message
A10 Networks supports Finisar SFP+/QSFP+ transceivers with all ACOS devices. If you purchase a
third-party transceiver, the show int media output may return a “Media Unknown” error message.
Remote Fault Detection Fiber Limitation

Remote Fault Detection for 10G fiber is supported on TH3230, TH3430, and TH5330 (it is not supported
for 1G fiber). The same limitation is applicable to 1G fiber in Thunder FTA-based platforms with L2/L3
ASIC.
There are no known documentation limitations at this time.
page 275
FeedbackF
Fee
e
page 276
Licensing and Upgrading to ACOS 4.1.1
This chapter provides information for upgrading your ACOS software to release 4.1.1.
NOTE: If you are configuring a new ACOS device, see the installation guide for
your specific device for hardware installation instructions, and the Quick
Start Guide for initial configuration instructions.
CAUTION: Make sure N5 SSL card is supported before installing a different soft-
ware.
This chapter contains the following topics:
• Hardware Product SKUs and vThunder Licenses
• Supported Upgrade Paths
• Upgrade Image File Names
• Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x Releases
• Upgrading to ACOS 4.1.1 From 4.x Releases
• Steps After Upgrading to 4.1.1 with an Existing Web-category License
Hardware Product SKUs and vThunder Licenses

This section contains the following topics:
• Hardware Product SKUs and vThunder/Bare Metal Product Licenses
• Third-party Licenses for Webroot and ThreatSTOP
Hardware Product SKUs and vThunder/Bare Metal Product Licenses

This section describes product SKUs for A10 Thunder Series and AX Series hardware devices, and prod-
uct licenses for vThunder devices.
• Hardware devices purchased before February 2016 have no concept of product SKU. Hard-
ware devices purchased after February 2016 are identified by a product SKU.
Feedback page 277

FeedbackF
Fee
e
Hardware Product SKUs and vThunder Licenses
• vThunder devices prior to Release 4.1.0 utilized bandwidth licenses; licenses introduced in 4.1.0
involve both product and bandwidth usage.
The following Table 31 summarizes the hardware device product SKUs and features available in each
product:
TABLE 31ACOS 4.1.0 Hardware Product SKU Matrix

Device SKU Features Available Before 4.1.0 Features Available in 4.1.0
A10 Thunder Series CGN CGN, ADC, and SSLi CGN and ADC
or AX Series hard- ADC ADC, CGN and SSLi ADC and CGN
ware device
SSLi SSLi, ADC and CGN SSLi and related components
CFW N/A CFW, SSLi, ADC, and CGN
The following Table 32 summarizes the vThunder and Bare Metal product licenses and contents of
each product:
TABLE 32ACOS 4.1.0 Product License Matrix

Device License Features Available Before 4.1.0 Features Available in 4.1.0
vThunder device CGN CGN and ADC CGN and ADC
ADC ADC and CGN ADC and CGN
SSLi N/A SSLi and related components
CFW N/A CFW, SSLi, ADC, and CGN
Bare Metal CGN N/A CGN and ADC
ADC N/A ADC and CGN
NOTE: For more information about obtaining your product license, see your spe-
cific vThunder or Bare Metal installation Guide, available on the Support
Portal: https://files.a10networks.com/support-axseries/hardware-install-
guides/index.html.
Third-party Licenses for Webroot and ThreatSTOP

Third-party licenses for Webroot and ThreatSTOP are also available; contact your local A10 Networks
representative for more information.
page 278
Feedback
Supported Upgrade Paths
The following Table 33 summarizes the availability of Webroot and ThreatSTOP licenses for hardware
product SKUs:
TABLE 33ACOS 4.1.0 Webroot and ThreatSTOP Availability Matrix for Hardware
Device SKU Webroot and ThreatSTOP Availability
A10 Thunder Series or AX CGN None
Series hardware device ADC ThreatSTOP
SSLi Webroot and ThreatSTOP
CFW Webroot and ThreatSTOP
The following Table 34 summarizes the availability of Webroot and ThreatSTOP licenses for vThunder
and Bare Metal devices:
TABLE 34ACOS 4.1.0 Webroot and ThreatSTOP Availability Matrix for vThunder and Bare Metal
Device License Webroot and ThreatSTOP Availability
vThunder device licenses CGN None
ADC ThreatSTOP
SSLi Webroot and ThreatSTOP
CFW Webroot and ThreatSTOP
Bare Metal licenses ADC ThreatSTOP
CGN None
Supported Upgrade Paths

The following upgrade paths to ACOS 4.1.1 are supported:
• Any legacy 2.7.2.x or 2.8.2.x release to ACOS 4.1.1 (see Upgrading to ACOS 4.1.1 From Legacy
2.7.2.x or 2.8.2.x Releases)
• Any ACOS 4.x release to ACOS 4.1.1 (see Upgrading to ACOS 4.1.1 From 4.x Releases)
NOTE: To perform an upgrade to ACOS Release 4.x using the GUI, you must
start with Release 2.7.2-P3. Earlier releases are not supported.
These releases support the encryption and decryption of the .upg image file formats used for upgrading
a device (Upgrade Image File Names).
page 279
FeedbackF
Fee
e
Upgrade Image File Names
Upgrade Image File Names

Make sure to use the correct image file for your specific ACOS device.
First, determine whether or not your device is FTA enabled. See Hardware Platform Support, or use the
following show hardware command; devices that are FTA-enabled will have an output similar to the fol-
lowing:
ACOS# show hardware | inc FPGA

FPGA : 4 instance(s) present
Then, make sure to use the correct ACOS image file:
• For FTA enabled platforms, use the image with the file name:
ACOS_FTA_version.upg
• For non-FTA enabled platforms (including vThunder), use the image with the file name:
ACOS_non_FTA_version.upg
Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x

Releases
ACOS 4.1.1 includes an automated migration script to convert legacy 2.7.2.x and 2.8.2.x configurations
to the most current format.
NOTE: Before upgrading, be sure you have obtained the appropriate upgrade
image (Upgrade Image File Names).
This section contains the following topics:
• Upgrade Recommendations and Notes
• Upgrade Instructions
• Generating New Profiles
page 280
Feedback
Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x Releases
• Migrating Partitions
• Migrating Admins
Upgrade Recommendations and Notes

Observe the following best practices for a successful upgrade:
Caveats regarding upgrading and session sync (A10 Tracking ID 364598):

• If performing an upgrade from any of the following legacy ACOS versions (2.7.x, 2.8.x, 4.1.0-PX,
4.1.00 and older) to ACOS versions 4.1.1, 4.1.1-P1 or 4.1.1-P2, you must disable session sync
between older and newer version software versions.
• If performing an upgrade from any of the following ACOS versions (4.1.1, 4.1.1-P1. 4.1.1-P2) to
4.1.1-P3 or higher, you must disable session sync between older and newer version software
versions.
• Only upgrade the image that is currently being used at the boot image; it is not recommended to
upgrade the secondary image area, for example, if the primary image area is the current boot
image area.
• After the upgrade, make sure to boot from the image area that was upgraded to ensure the
success of the upgrade; it is not recommended to upgrade the primary image area, for example,
then boot from the secondary image area.
• If there are existing 4.1.0 profiles on the device, the upgrade will remove those profiles; no pre-
existing 4.1.0 changes will be kept.
• Starting with 4.1.1-P6, when ACOS version 2.7x is upgraded with an existing High Availability
configuration, this configuration will be automatically updated with the equivalent VRRP-A
configuration.
Upgrade Instructions
When you are ready to upgrade:
1. Use the write memory all-partitions command to save your current running-config to the
startup-config.
ACOS-2-7-x(config)# write memory all-partitions

Write configuration to primary default startup-config
[OK]
2. Upgrade your ACOS release 2.7.2-Px or 2.8.2-Px software to release 4.x using the upgrade com-
mand and the image file name from Upgrade Image File Names. For example, to upgrade the pri-
mary boot image on an FTA device:
page 281
FeedbackF
Fee
e
ACOS-2-7-x(config)# upgrade hd pri tftp://2.2.2.2/images/ACOS_FTA_version.upg
Or, on a non-FTA device:
ACOS-2-7-x(config)# upgrade hd pri tftp://2.2.2.2/images/ACOS_non_FTA_version.upg
3. Near the end of the upgrade procedure, you will be prompted to reboot your ACOS device. You can
answer yes to reboot, or no if you want to reboot manually.
You must reboot the device to bring up the ACOS 4.x software and complete the upgrade proce-
dure.
Upgrade to ACOS 4.x is complete once the device is rebooted.
To verify, you can use the show startup-config all command and
Generating New Profiles

ACOS devices have a default configuration profile in each of the primary and secondary boot image
areas. In addition to these default configuration profiles, you can create additional local configuration
profiles in both boot image areas.
The migration script generates new profiles in the following manner:
• For each legacy local configuration profile, the migration tool will generate one new profile with
name with “_40” appended to the name. For example, an existing profile called “slb_profile” would
become “slb_profile_40”. The original profile is not modified so that reverting back to the earlier
version is possible.
Use the show startup-config all command to view a list of all local configuration profiles, and to
view the profile currently being used. The “Version” column in the output shows you the ACOS ver-
sion of the configuration profile.
For example:
ACOS(config)# show startup-config all

Secondary startup-config profile: def_profile
Profile-Name Size Time Version
----------------------------------------------------------------------------
4.1.0-profile 3848 2015-02-28 10:35:48 2.7.2
4.1.0-profile_40 3862 2016-02-04 17:21:05 4.1.0
Default_primary_old 877 2016-02-04 17:21:04 2.7.0
...
page 282
Feedback
• For default primary and secondary configurations, the migration tool will create one copy of the
original profile as a local configuration profile with name “Default_<primary/secondary>_old” and
change the default profile to a format compatible with 4.x.
Migrating Partitions
The migration tool will migrate at most 1023 partitions to the new format, or the maximum number
allowed by the specific system.
For example, a system that allows a maximum of 32 L3V partitions has the following configuration pro-
files:
• Profile1, which contains 16 L3V partitions
• Profile2, which contains 17 L3V partitions
The migration tool will migrate all 33 of these partitions to the new configuration, since the number is
less then 1023. However, since the platform supports a maximum of 32 partitions, you must expect to
see parse error messages similar to the following for each partition exceeding the maximum number
supported by the device:
“partition <partition-name> id <partition-id>”

“no partition <partition-name> id <partition-id>”
If the total number of partition migrated exceeds 1023, the following parse error messages are
expected:
“Warning: Partition <partition-name> is out of limit”
In release 4.x, the directory structure for L3V partitions is completely new. All L3v partitions contain
independent profiles that are not tied to the shared partition. To avoid conflicts in system, all partition
IDs are re-arranged during the migration process and available IDs are assigned to all partitions. Once
all available IDs are assigned, meaning the maximum number of supported partitions is reached, the
remaining partitions are discarded.
Migrating Admins
During the migration process, error messages relating to admin migration will be seen.
This sections has the following topics:
• Error Message When Migrating the Default Admin
page 283
FeedbackF
Fee
e
• Error Message for Admins with Custom Privileges
• Error Messages for Admins with Multiple Partition Privileges
Error Message When Migrating the Default Admin

The following message is normal and can be safely ignored:
Feb 02 2016 23:30:54 Error [CLI]:Parse error when executing command: object-access-con-
trol "none" "none" "none" "none" "none" "none" "none" "none"
Error Message for Admins with Custom Privileges

The following error message is generated when an admin is configured in 2.7.2.x or 2.8.2.x using a cus-
tom privilege (in this case, using privilege read from the admin configuration mode):
ACOS(config)# admin admin1 password admin1

ACOS(config-admin:admin1)# privilege read
ACOS(config-admin:admin1)#
The following is the error message:
Feb 03 2016 00:07:34 Error [CLI]:Parse error when executing command: role-admin ReadOn-
lyAdmin
To work around this issue:
1. Re-configure the admin in the 4.x CLI (same commands as 2.7.2.x or 2.8.2.x).
2. Use write memory to save your changes
3. Use reload to reload the ACOS device.
Error Messages for Admins with Multiple Partition Privileges

The following error message is generated when an admin is configured in 2.7.2.x or 2.8.2.x with multiple
partition privileges. For example:
ACOS(config)# admin admin1 password admin2

ACOS(config-admin:admin2)# privilege partition-read p1 p2
page 284
Feedback
The following is the error message:
Feb 02 2016 22:08:21 Error [CLI]:Parse error when executing command: role-admin Parti-
tionReadOnly "p1" "p2"
Workaround
The following is a workaround for this issue:
1. Re-configure the admin in the 4.x CLI (multiple partition names are not allowed in a single com-
mand in 4.x):
ACOS-4-x(config)# admin admin2 password examplepassword

ACOS-4-x(config-admin:admin2)# privilege partition-read p1
Modify Admin User successful!
ACOS-4-x(config-admin:admin2)# privilege partition-read p2
Modify Admin User successful!
ACOS-4-x(config-admin:admin2)#
2. Use write memory to save your changes

3. Use reload to reload the ACOS device.
Reverting to Your 2.7.2.x or 2.8.2.x Release

To revert to your existing 2.7.2.x or 2.8.2.x release:
1. Use the write memory all-partitions command to save your current running-config to the
startup-config.
ACOS-4-x(config)# write memory all-partitions

Write configuration to primary default startup-config
[OK]
2. Set the boot image to the location where your 2.7.2.x or 2.8.2.x image resides. For example, if your
4.x image was loaded in the primary boot image area, and your legacy image resides in the second-
ary boot image area:
ACOS(config)# bootimage hd sec

Secondary image will be used if system is booted from hard disk
3. Using the reboot command to reboot the device from the specified boot image area.
page 285
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From 4.x Releases
NOTE: After the device is rebooted, you can link to the configuration profile of
your choice. (See Generating New Profiles for more information about
how the migration tool handles existing profiles.)
NOTE: After reverting to your 2.7.2.x or 2.8.2.x release, your legacy admin config-
uration will no longer exist. You must re-configure all admins that have a
specified role, or privileges for multiple partitions.

This section contains information for upgrading your existing 4.x release to Release 4.1.1.
The following sections are covered in this topic:
• Upgrade Fails When Using TFTP
• Special Characters Supported in the GUI
• Schema Changes that Impact Backward Compatibility
• Upgrading in a Non-aVCS Environment
• Upgrading in an aVCS Environment
Upgrade Fails When Using TFTP

Attempting to upgrade the ACOS software image fails when attempting to perform the upgrade with the
CLI TFTP command, for example:
ACOS(config)#upgrade hd pri use-mgmt-port tftp://192.168.11.11/ACOS_FTA_4_1_0-P9_60.64.upg
This failure is due to an inherent limitation with the built-in TFTP client in ACOS. The TFTP client’s
default TFTP block size is 512 bytes, which is too small to support download of the ACOS image.
Therefore, it is recommended to set the TFTP client’s block size to a larger value to allow the file trans-
fer to complete successfully.
page 286
Feedback
Special Characters Supported in the GUI

The following changes are made between 4.0 and 4.1.1. In general, the GUI supports the standard
alpha-numeric character set, as follows:
• English letters (lowercase a-z, and uppercase A-Z)

• Numbers (0-9)
• The following characters: “.” (period), “-” (dash/hyphen), and “_” (underscore)
Other special characters are not supported, except as noted for the following objects:
TABLE 35ACOS 4.1.1 Special Characters Supported in the GUI

Supported Special
Object Character Set CLI or Backend GUI
Health Monitor String-rlx 1 √ √
GSLB FQDN Zone ‘*’ √ √
ADC SLB menu: Virtual Servers, Server, Service String-rlx2 √ √
Group
1. String-rlx denotes a variation of string type, with the main difference being that it accepts the following extra charac-
ters: (space), “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “:”, “<“, “>”, “[“, “{“, “}”, “?”, “]”, “|”, “=”, “+”, “\”.
2. The following special characters: “/”, “#”, “?”, “:”, “[“ are not supported for servers, service groups and VIPs.
Schema Changes that Impact Backward Compatibility

The following changes are made between 4.0 and 4.1.1, which might impact backward compatibility.
• /axapi/v3/gslb/policy/
• /axapi/v3/cgnv6
• /axapi/v3/vpn/ike-gateway
• /axapi/v3/system/session/stats
• /axapi/v3/slb and /axapi/v3/slb/template
• /axapi/v3/file and /axapi/v3/import
• /axapi/v3/interface
page 287
FeedbackF
Fee
e
• /axapi/v3/web-category
• /axapi/v3/slb
• /axapi/v3/router
• /axapi/v3/router/isis
/axapi/v3/gslb/policy/
The following properties are removed from this object. Remove these from POST and PUT payloads
before upgrading.
"weighted-ip":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Select Service-IP by weighted preference",
"optional": true
}
"weighted-site":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Select Service-IP by weighted site preference",
"optional": true
}
"bw-cost":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Select site with minimum bandwidth cost",
"optional": true
}
/axapi/v3/cgnv6
The tunnel-endpoint-address is removed from these objects in favor of use-binding-table for multi-
ple tunnel support.
• /axapi/v3/cgnv6
• /axapi/v3/cgnv6/lw-4o6
• /axapi/v3/cgnv6/lw-4o6/global
page 288
Feedback
Revise any existing calls to remove these from POST and PUT payloads from existing scripts before
upgrading.
"tunnel-endpoint-address":{
" type": "string",
"format": "ipv6-address",
"description": "Configure LW-4over6 IPIP Tunnel Endpoint Address (LW-4over6 Tunnel
Endpoint Address)"
}
/axapi/v3/vpn/ike-gateway
The following properties are revised in this object so that the password of a key shall be reset to null
when typing the key keyname command. See the Command Line Interface Reference for further information.
TABLE 36VPN IKE Gateway Key Revision

4.0 Key 4.1.1 Key
"key":{ "key":{
"type":"object", "type": "string",
"properties":{ "format": "string",
"key-name":{ "minLength": 1,
"type":"string", "maxLength": 255,
"format":"string", "description": "Private Key",
"minLength":1, "optional": true
"maxLength":64, },
"description":"Private "key-passphrase":{
Key File Name" "type": "string",
}, "format": "password",
"key-passphrase":{ "minLength": 1,
"type":"string", "maxLength": 127,
"format":"string", "description": "Private Key Pass
"minLength":1, Phrase",
"maxLength":127, "optional": true
"description":"Private },
Key Pass Phrase"
}
}
}
page 289
FeedbackF
Fee
e
The following properties are removed from this object so that vrid default is now vrid 0 in VPN IKE-
Gateway configurations, with the range revised from beginning with 1 to <0-31> (and <0-7> in parti-
tions). If you were previously using vrid default, revise it after upgrading.
"default":{
"type": "number",
"format": "flag",
"default": 0,
"not": "vrid-num",
"description": "Default VRRP-A vrid"
}
The following properties in blue are added to this object so that the CLI and GUI formats display the
same.
"properties":{
"inside-ipv4-address": {
"type": "string",
"format": "ipv4-address"
},
"inside-ipv6-address": {
"type": "string",
"format": "ipv6-address"
}
}
/axapi/v3/system/session/stats
The following properties, which are not session specific, are removed from this object so that the GUI
will know which stats to leverage going forward.
"reverse_nat_tcp_ounter":{
"type": "number",
"format": "counter",
"size": "8",
"oid": "16",
page 290
Feedback
"description": "Reverse NAT TCP",

"optional": true
},
"reverse_nat_udp_ounter":{
"type": "number",
"size": "8",
"oid": "17",
"description": "Reverse NAT UDP",
"optional": true
},
"ssl_failed_total":{
"type":"number",
"format":"counter",
"size":"8",
"oid":"28",
"description":"Total SSL Failures",
"optional":true
},
"ssl_failed_ca_verification":{
"type":"number",
"format":"counter",
"size":"8",
"oid":"29",
"description":"SSL Cert Auth Verification Errors",
"optional":true
},
"ssl_server_cert_error":{
"type":"number",
"format":"counter",
"size":"8",
"oid":"30",
"description":"SSL Server Cert Errors",
"optional":true
},
"ssl_client_cert_auth_fail":{
"type":"number",
"format":"counter",
"size":"8",
"oid":"31",
"description":"SSL Client Cert Auth Failures",
"optional":true
},
"total_ip_nat_donn":{
page 291
FeedbackF
Fee
e
"type":"number",
"format":"counter",
"size":"8",
"oid":"32",
"description":"Total IP Nat Conn",
"optional":true
},
"client_ssl_ctx_malloc_failure":{
"type": "number",
"size": "8",
"oid": "34",
"description": "Client SSL Ctx malloc Failures",
"optional": true
},
/axapi/v3/slb and /axapi/v3/slb/template

The following proxy chaining properties are removed from use with /policy/{name}/forward-policy/
action/{name} actions of forward-to-service-group and forward-to-internet in favor of using with
forward-to-proxy instead. If proxy-chaining was configured in 4.1.0 with forward-to-service-group
and forward-to-internet, it will remain, but is not available with these in 4.1.1.
"proxy-chaining":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Enable proxy chaining feature",
"optional": true
}
/axapi/v3/file and /axapi/v3/import

The csr-generate is removed from various places throughout these objects because CSR Generate
must only appear for a local file name.
• /axapi/v3/file
• /axapi/v3/file-ca-cert
• /axapi/v3/file-ssl-key
• /axapi/v3/import
page 292
Feedback
• /axapi/v3/import-periodic
• /axapi/v3/import-periodic-ssl-cert
• /axapi/v3/import-periodic-ssl-crl
• /axapi/v3/import-periodic-ssl-key
Revise any existing calls to remove these properties from POST and PUT payloads before upgrading.
"csr-generate":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Generate CSR file",
"optional": true
}
/axapi/v3/interface
DHCP is removed from the following objects because DHCP was not supported, even if it was config-
ured.
• /axapi/v3/interface
• /axapi/v3/interface-tunnel
• /axapi/v3/interface-tunnel-ip
After the upgrade, the dhcp configuration will be removed automatically. If an IP address is needed on
tunnel interface, static addresses are supported.
"dhcp":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Use DHCP to configure IP address"
}
/axapi/v3/web-category
The server-timeout default parameter is revised to 15 seconds.
"server-timeout":{
page 293
FeedbackF
Fee
e
"type": "number",
"format": "number",
"minimum": 1,
"maximum": 300,
"default": 15,
"partition-visibility": "shared",
"description": "BrightCloud Servers Timeout in seconds (default: 15s)",
"optional": true
}
/axapi/v3/slb
A variety of counter names are revised in the following statistics:
• slb-server-port-stats
• slb-server-stats
• slb-service-group-member-stats
• slb-service-group-stats
• slb-template-cache-stats
• slb-virtual-server-port-stats
• slb-virtual-server-port-stats-cache
You’ll see the following type of example CLI output differences when sampling-enable is used:
ACOS(config)# slb perf sampling-enable ?
TABLE 37SLB Sampling Enable Statistic Name Revisions

4.0 Sampling Enable Stat Names 4.1.1 Sampling Enable Stat Names
all
total-throughput-bits-per-sec all
l4-connection-rate total-throughput-bits-per-sec
l7-connection-rate l4-conns-per-sec
l7-trans-per-sec l7-conns-per-sec
ssl-connection-rate
ip-nat-connection-rate l7-trans-per-sec
total-new-connection-rate ssl-conns-per-sec
total-current-connectionss ip-nat-conns-per-sec
l4-bandwidth total-new-conns-per-sec
l7-bandwidth
total-curr-conns
l4-bandwidth
l7-bandwidth
page 294
Feedback
You’ll also see the following type of example responses in your GET requests:
curl -k GET https://10.10.10.10/axapi/v3/slb/virtual-server/vs/port/80+tcp/stats \

-H "Content-Type:application/json" \
-H "Authorization: A10 c223169c3ab18f9e3826b9df215c2b"
TABLE 38SLB Virtual Port Statistic Name Revisions

4.0 Virtual Port Stat Names 4.1.1 Virtual Port Stat Names
{ {
"port": { "port": {
"stats" : { "stats" : {
"current-conns":0, "curr_conn":126,
"total-l4-conns":0, "total_l4_conn":13128,
"total-l7-conns":7985,
"total-tcp-conns":7985, "total_l7_conn":0,
"total-conns":7985, "total_tcp_conn":13128,
"total-fwd-bytes":2693024, "total_conn":13128,
"total-fwd-packets":35929, "total_fwd_bytes":6433228,
"total-rev-bytes":2104590, "total_fwd_pkts":91901,
"total-rev-packets":16062,
"total-dns-pkts":0, "total_rev_bytes":6892903,
"total-mf-dns-packets":0, "total_rev_pkts":52519,
"es-total-failure-actions":0, "total_dns_pkts":0,
"compression-bytes-before":0, "total_mf_dns_pkts":0,
"compression-bytes-after":0,
"compression-hit":0, "es_total_failure_actions":0,
"compression-miss":0, "compression_bytes_before":0,
"compression-miss-no-client":0, "compression_bytes_after":0,
"compression_hit":0,
... "compression_miss":0,
"compression_miss_no_client":0,
...
/axapi/v3/router
The ha-standby-extra-cost is revised in various places throughout these objects to support extra cost
per VRID, rather than only for the default VRID.
• /axapi/v3/router
• /axapi/v3/router-ipv6
• /axapi/v3/router-ipv6-ospf
• /axapi/v3/router-isis
• /axapi/v3/router-ospf
The following properties in blue are new. After the upgrade, move existing default VRID costs to an
array.
page 295
FeedbackF
Fee
e
"ha-standby-extra-cost":{
"type": "array",
"minItems": 1,
"items": {
"type": "object"
},
"uniqueItems": true,
"array": [{
"properties": {
"extra-cost": {
"type": "number",
"format": "number",
"minimum": 1,
"maximum": 65535,
"description": "The extra cost value"
},
"group": {
"type": "number",
"format": "number",
"minimum": 0,
"maximum": 31,
"description": "Group (Group ID)"
},
"optional": true
}
}]
}
page 296
Feedback
/axapi/v3/router/isis
The multi field block used for the set-overload-bit suppress command was creating multiple
instances for the set-overload-bit such that PUT operations would fail. The following properties in
blue are revised.
TABLE 39Isis Revisions

4.0 Suppress-List 4.1.1 Suppress-Cfg
"suppress-list":{ "suppress-cfg":{
"type": "array", "type": "object",
"minItems": 1, "properties": {
"items": { "external": {
"type": "object" "type": "number",
}, "format": "flag",
"uniqueItems": true, "default": 0,
"array": [{ "description": "If
"properties": { overload-bit set, don't advertise IP
"suppress": { prefixes learned from other protocols"
"type": "string", },
"format": "enum", "interlevel": {
"description": "type": "number",
"'external': If overload-bit set, don't "format": "flag",
advertise IP prefixes learned from other "default": 0,
protocols; 'interlevel': If overload-bit "description": "If
set, don't advertise IP prefixes learned overload-bit set, don't advertise IP
from another ISIS level; ", prefixes learned from another ISIS level"
"enum": [ }
}
"external", }
"interlevel"
]
},
"optional": true
}
}]
}
Upgrading in a Non-aVCS Environment

To upgrade to ACOS 4.1.1 from earlier 4.x releases if aVCS is not configured:
1. Obtain the appropriate upgrade package (see Upgrade Image File Names).
2. Use this upgrade package and follow the instructions in Upgrade Instructions.
page 297
FeedbackF
Fee
e
Upgrading in an aVCS Environment

To upgrade to ACOS 4.1.1 from earlier 4.x releases if aVCS is configured, follow the procedure
described in this section. In this example, the virtual chassis contains two devices; the current VRRP-A
active device and vMaster “ACOS1,” and the current VRRP-A standby and vBlade device “ACOS2.”
In general terms, the procedure does the following:
1. Save and backup your configuration on both devices.

2. Disable aVCS on ACOS2.
3. Force VRRP-A to fail over from ACOS1 to ACOS2.
4. Upgrade and reboot ACOS1.
5. Force VRRP-A fail over from ACOS2 back to ACOS1.
6. Without saving the configuration on ACOS2, upgrade and reboot ACOS2.
After the reboot, your original configuration will be loaded and ACOS2 will re-join the aVCS chassis and
become the VRRP-A standby device. Your VRRP-A configuration is not disrupted due to the manual
forced failover caused by changing the VRID priorities.
The following are the specific instructions:
1. Obtain the appropriate upgrade package (see Upgrade Image File Names).
2. On all devices in the virtual chassis, save the startup configuration to a new profile. Use the all-par-
titions option if you have L3V partitions configured. Do not link the profile; this profile will serve as
the local backup of the 4.1.0 configuration. For example, on the current vMaster “ACOS1:”
ACOS1-vMaster[8/1](config)# write memory backup_profile all-partitions

Write configuration to profile "backup_profile"
Do you want to link "backup_profile" to startup-config profile? (y/n): n
[OK]
3. Backup your system to a remote device. For example:
ACOS1-vMaster[8/1](config)# backup system scp://exampleuser@examplehost/dir1/dir2/
4. On the vBlade device “ACOS2,” disable aVCS.
ACOS2-vBlade[8/1](config:2)# vcs disable

ACOS2-vBlade[8/1](config:2)#Mar 21 2016 16:14:41 B3 a10logd: [VCS]<3> dcs thread peer
closed connection prematurely
Mar 21 2016 16:14:41 B3 a10logd: [CLI]<3> rimacli: socket select operation failed
page 298
Feedback
Mar 21 2016 16:14:41 B3 a10logd: [CLI]<3> rimacli: terminted because received SIGTERM
signal
ACOS2# show vcs summary

VCS is not active.
ACOS2#
5. On “ACOS2:”
a. Access the configuration level for the VRRP-A VRID in the shared partition and each L3V parti-
tion. For example:
ACOS2# configure
ACOS2(config)# vrrp-a vrid 1
ACOS2(config-vrid:1)#
b. Change the VRID priority to a value that is higher than the priority on the vMaster. For example, if
the VRID priority on the vMaster is 100, we can change the priority to 105:
ACOS2(config-vrid:1)# blade-parameters
ACOS2(config-vrid:1-blade-parameters)# priority 105
ACOS2(config-vrid:1-blade-parameters)# exit
ACOS2(config-vrid:1)# exit
ACOS2(config)#
This will cause VRRP-A to fail over so that ACOS2, now with the higher priority, becomes the new
active device.
6. Install the Release 4.1.1 image on ACOS1 and reboot the device for the change to take effect. See
Upgrade Instructions.
7. On ACOS2:
a. Access the configuration level for the VRRP-A VRID in the shared partition and each L3V parti-
tion. For example:
ACOS2(config)# vrrp-a vrid 1

ACOS2(config-vrid:1)#
b. In the shared partition and all L3V partitions, change the VRID priority back to its original value,
or any value that is lower than the value on ACOS1. For example, if the VRID priority on ACOS1 is
100, we can change the priority to 99 on ACOS2:
ACOS2(config-vrid:1)# blade-parameters
ACOS2(config-vrid:1-blade-parameters)# priority 99
ACOS2(config-vrid:1-blade-parameters)# exit
page 299
FeedbackF
Fee
e
Steps After Upgrading to 4.1.1 with an Existing Web-category License
ACOS2(config-vrid:1)# exit
ACOS2(config)#
This will cause VRRP-A to fail over so that the ACOS1 will once again become the active device.
8. Without saving the configuration, install the Release 4.1.0 image on ACOS2 and reboot the device
for the change to take effect. See Upgrade Instructions.
After ACOS2 is rebooted, your original configuration (saved in step 2) will be loaded and ACOS2 will
rejoin the virtual chassis and the upgrade of the chassis to Release 4.1.0 is complete.
Steps After Upgrading to 4.1.1 with an Existing Web-

category License
If your ACOS appliance has a web-category license, and the web-category license is not yet enabled
after the upgrade, take the following steps to enable your web-category license:*
ACOS#config
ACOS#(config)#web-category
ACOS#(config-web-category)#enable
This procedure will check for and fix a web-category license corruption that might occur from an
upgrade.
*Ensure your ACOS appliance is already configured with an established connection to the Global Licens-
ing Manager (GLM). Configuration for GLM can be done at the global configuration level using the glm
command.
page 300
Additional Changes and Notes
This section describes about the additional changes which are not described in the previous sections
and it provides clarifications on the features supported in the previous releases.
This chapter has the following topic:
• Documentation Errata
Documentation Errata
The following sections clarify or expand on information in the manuals for previous releases:
• Port Batching v2
• Logging Enhancements
• Configuring Port Batching v2 in NAT Pools
• Simultaneous TCP/UDP Port Batch Allocation
• Port Block Allocation Interim Logs
• Configuring Interim-Update Logs for Port Batch v2
Port Batching v2
Port batches can be created in NAT pools using Large Scale Nat (LSN). This allows ACOS to assign port
batches contiguously and increases the maximum configurable port batch size. The port range can be
configured for the NAT pool and then configure up to 4096 ports per port batch. If a subscriber’s con-
nections are fewer than the number of ports in a batch, then only one port batch will be assigned.
NOTE: Support for Port Batching v2 is available from Release 4.1.1-P2.
The only exception is when ALG connections need two consecutive ports in a batch, but the subscriber
does not have two consecutive ports in any given batch. In that case, a new port batch will be assigned
to the subscriber.
NOTE: To change the port batch size, all of the current configuration must be
deleted, and all existing sessions need to be cleared first.
Feedback page 301

FeedbackF
Fee
e
To support contiguous port batch assignments, NAT port ranges will be configurable within a NAT pool.
In both the cases of a port batch and of a NAT pool, a warning log will be generated when a configurable
usage threshold is reached.
A log is generated when a port batch is allocated, and another log is generated when the port batch is
freed. In the case that a session creation fails, the port batch allocation message will be immediately
followed by a port batch freed log.
NOTE: When port batching is configured within an IP NAT pool, ACOS uses less
memory and has better traffic processing performance.
Logging Enhancements
Use of port batches version 2 create new logs, similar to the existing port batching logs.
NOTE: For more information on logging formats, see the Traffic Logging Guide
for IPv6 Migration.
The following sections are covered in this topic:
• Syslog
• Binary Log
• RADIUS Log
• RFC5424 Format and Custom Format
• NetFlow
Syslog
Port batching logs can reflect the starting port and ending port for port batches, rather than the batch
size and the step size. In the examples below, note the difference in the event identifier (NAT-UDP-B and
NAT-UDP-T) that indicate how to interpret the highlighted portion of each log message.
In the following current port batch logs, the highlighted numbers indicate the starting point, the port
batch size, and the step size:
Message: Jan 23 13:27:35 AX5200-11 NAT-UDP-B: 30.30.30.11 -> 162.168.20.220:36448,64,23

Message: Jan 23 13:28:24 AX5200-11 NAT-UDP-X: 30.30.30.11 -> 162.168.20.220:36448,64,23
In the new port batching pool logs below, the highlighted numbers indicate the starting port and the
ending port. The highlighted letters indicate a different event:
page 302
Feedback
Message: Jan 23 13:27:35 AX5200-11 NAT-UDP-T: 30.30.30.11 -> 162.168.20.220:36448,36511

Message: Jan 23 13:28:24 AX5200-11 NAT-UDP-Y: 30.30.30.11 ->
162.168.20.220:36448, 36511
Binary Log
For binary logging format, the “Proto” field of the port batching log header is changed from 3 bits to 2
bits. A new 1 bit header “V” is added to indicate use of the second version of port batching. If the “V” bit
is set, then the new logging format is used. Existing port batching will not have the “V” bit set and will
use the legacy logging format.
The following is an example of a port batching log header:
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Act | V|Proto| Type | Length |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
If the “V” bit is set, then the following log format is used:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Inside IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NAT IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Start NAT Port | End NAT Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If the “P” bit is not set, then the legacy log format below is used:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Inside IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NAT IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Base NAT Port | Batch Size |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Step Size |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
page 303
FeedbackF
Fee
e
RADIUS Log
For RADIUS logging, the following new event codes are added:
VALUE A10-CGN-Action Port-Batch-V2-Allocated 11

VALUE A10-CGN-Action Port-Batch-V2-Freed 12
ATTRIBUTE A10-CGN-Port-Batch-V2-Port-Start 59 short

ATTRIBUTE A10-CGN-Port-Batch-V2-Port-End 60 short
RFC5424 Format and Custom Format

For RFC5424 logging, there are two new custom keywords for the port batch allocation and port batch
freed events.
port-batch-v2-allocated
$proto-name$ Protocol name
$proto-num$ Protocol number
$src-ip$ Source IP
$nat-ip$ NAT IP
$nat-port-start$ Start port of batch NAT ports
$nat-port-end$ End port of batch NAT ports
$inside-user-mac$ Inside user MAC
$radius-msisdn$ RADIUS attribute: MSISDN
$radius-imei$ RADIUS attribute: IMEI
$radius-imsi$ RADIUS attribute: IMSI
$radius-ctm1$ RADIUS attribute: Custom1
The default string for “port-batch-v2-allocated” is as follows:
LSN:PortBatchV2Allocated:$proto-name$ [$src-ip$ $nat-ip$ $nat-port-start$ $nat-port-end$]

port-batch-v2-freed
$src-ip$ Source IP
$nat-ip$ NAT IP
$radius-ctm2$ RADIUS attribute: Custom2I
The default string for “port-batch-v2-freed” is as follows:
page 304
Feedback
LSN:PortBatchV2Freed:$proto-name$ [$src-ip$ $nat-ip$ $nat-port-start$ $nat-port-end$]
NetFlow
NetFlow logging can be configured for NAT pool port batching. To do so, enter the following command
at the NetFlow configuration level:
ACOS(config)# netflow monitor monitor1

ACOS(config-netflow-monitor)# record port-batch-v2-nat44 creation
These options configure NetFlow monitor records for NAT pool port batches for NAT44, NAT64, or
DSLite. The option of both exports both creation and deletion NetFlow records, whereas the options of
creation or deletion export only those respective NetFlow records.
Configuring Port Batching v2 in NAT Pools

To configure Port Batching in a NAT pool in the CLI, enter the following command at the global configu-
ration level:
ACOS(config)# cgnv6 nat pool lsn 198.51.100.1 198.51.100.254 netmask /24 port-batch-v2-
size 64 usable-nat-ports 1024 2000
ACOS(config)# cgnv6 lsn-lid 1
ACOS(config-lsn lid)# source-nat-pool lsn
ACOS(config-lsn-lid)# exit
ACOS(config)# class-list lsn
ACOS(config-class list)# 5.5.5.0 lsn-lid 1
ACOS(config)# cgnv6 lsn inside source class-list lsn
To display logging information for IP NAT pool port batching, enter one of the following show com-
mands:
ACOS# show cgnv6 logging keywords lsn port-batch-v2-allocated

ACOS# show cgnv6 logging keywords lsn port-batch-v2-freed
page 305
FeedbackF
Fee
e
Simultaneous TCP/UDP Port Batch Allocation

In Port Batch version 2, TCP and UDP port batches with the same port range can now be assigned at
the same time, even if only one protocol is used initially.
For example, if a new user requires a TCP port, then a TCP port batch is allocated. The UDP port batch
with the same port range will also be assigned to that user at that time. The TCP user quota is used to
limit the port usage for inside users, and any configured UDP user quota is not applicable when this fea-
ture is enable.
Additionally, NAT pools with TCP and UDP port batch allocation enabled cannot have an extended user
quota configured as well.
NOTE: This feature is only supported in Port Batch version 2, added in release
2.8.2-P1.
• The original Port Batching feature only assigns one protocol port batch at a time.
• Only a single log message is generated when both the TCP and the UDP port batch
are allocated together.
• For more information on the new log message, see TCP/UDP Port Batch Allocation
Logging.
The following sub-sections are covered in this topic:
• Configuring TCP/UDP Port Batch Allocation
• TCP/UDP Port Batch Allocation Logging
• RADIUS
• Configuration Example
Configuring TCP/UDP Port Batch Allocation

This feature is configured at the IP NAT Pool configuration level. Port Batch version 2 must also be
enabled for this feature to take effect. A new option, following in the configuration of Port Batch version
2, is added in the CLI. When configuring Port Batch version 2, enter the “simultaneous-tcp-udp-
batch-allocation” option at the end of the command before committing the configuration to enable
TCP and UDP port batches, like below:
size 64 simultaneous-batch-allocation
page 306
Feedback
TCP/UDP Port Batch Allocation Logging

When simultaneous TCP and UDP port batch allocation is configured, only a single log message is gen-
erate. The protocol string for the log message is “Other”.
The following formats are available/included in this section:
• Default Format
• Compact Format
• RFC5424 Format
• Binary Format
Default Format
Jun 22 19:00:10 30.30.30.81 NAT-OTR-T: 30.30.30.122 -> 40.40.40.111:2002,2065

Jun 22 19:00:12 30.30.30.81 NAT-OTR-Y: 30.30.30.122 -> 40.40.40.111:2002,2065
Compact Format
Jun 22 19:00:23 30.30.30.81 OT: 1e1e1e7a->2828286f:7d2,811

Jun 22 19:00:25 30.30.30.81 OY: 1e1e1e7a->2828286f:7d2,811
RFC5424 Format
Jun 22 11:17:46 30.30.30.81 1 2015-06-22T19:01:34-07:00 10.0.17.81 AX2500 - LSN:Port-

BatchV2Allocated:- [30.30.30.122 40.40.40.111 2002 2065]
Jun 22 11:17:48 30.30.30.81 1 2015-06-22T19:01:36-07:00 10.0.17.81 AX2500 - LSN:Port-
BatchV2Freed:- [30.30.30.122 40.40.40.111 2002 2065]
Binary Format
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Act |V|Proto| Type | Length |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
• Act (2 bits) – Action:
Port mapping allocate – 0
Port mapping free – 2
• V (1 bits) – Port batch version:
Version 1 – 0
Version 2 – 1
• Proto (2 bits) – Protocol:
TCP – 1
UDP – 2
Other – 0
• Type (3 bits) – Session type:
LSN – 0
page 307
FeedbackF
Fee
e
NAT64 – 1
DS-Lite – 2
6rd over NAT64 – 3
RADIUS
A10-CGN-Protocol = OTHER
Configuration Example
The following configuration example configures an IP NAT pool named “portbatch2” and enables Port
Batch v2, as well as simultaneous TCP and UDP port batch allocation. The IP NAT pool is added to an
LSN LID 1. The LSN LID is then added to a class list called “portbatchlist”, which is then applied to the
IP NAT inside.
size 64 simultaneous-batch-allocation
ACOS(config)# cgnv6 lsn-lid 1
ACOS(config-lsn lid)# source-nat-pool lsn
ACOS(config-lsn-lid)# exit
ACOS(config)# class-list lsn
ACOS(config-class list)# 5.5.5.0 lsn-lid 1
ACOS(config)# cgnv6 lsn inside source class-list lsn
Port Block Allocation Interim Logs

When using Port Batch version 2, it is possible to have more nuanced configurations using Custom Log-
ging format.
Port Batch version 2 logs are sent when a new port batch is allocated, and when the port batch is freed.
In between the two log messages, you can choose to receive interim log messages. These are sent peri-
odically based on a configurable time interval. Interim log messages follow the same log format as the
“port batch allocated” log.
The only fields that change between interim logs are the uploaded and downloaded bytes field, which
display the aggregate amount of traffic that is served by the port batch since the port batch was first
allocated. Since these numbers are aggregated, they do not display traffic information for each individ-
ual session within a port batch.
page 308
Feedback
NOTE: If interim updates are enabled after a port batch is created, then there will
not be interim logs for that port batch. Interim logs will only be generated
for port batches created after interim updates are enabled.
Configuring Interim-Update Logs for Port Batch v2

To support new interim-update logs for Port Batch version 2, new Custom Logging Format configurable
entries and keywords were added in the CLI.
This sections has the following sub-section:
• Custom Format Entry and Keywords
Custom Format Entry and Keywords

Under the custom logging template in the CLI, new configurable entries were added for the RADIUS
interim updates. Keywords for existing Port Batch version 2 and Fixed NAT entries were also added.
For custom logging, there are new keywords for port-batch-v2-allocated and port-batch-v2-freed entries:
port-batch-v2-allocated

$src-ip$ Source IP
$nat-ip$ NAT IP
$inside-user-mac$ Inside user MAC
$ul-byte$ Upload byte count (only for "format custom")
$dl-byte$ Download byte count (only for "format custom")
$sesn-start-time$ Session start time (only for "format custom")
$curr-time$ Log generated time (only for "format custom")
$sesn-id$ Session Identifier (only for "format custom")
port-batch-v2-freed

$src-ip$ Source IP
$nat-ip$ NAT IP
page 309
FeedbackF
Fee
e

$ct-msg$ Connection Termination Message (only for "format custom")
Two new configuration entries are added to custom logging format for interim logs. There is an new
entry for Port Batch version 2 interim updates, and a new entry for Fixed NAT interim updates.
port-batch-v2-interim-update

$src-ip$ Source IP
$nat-ip$ NAT IP
NOTE: The keywords for Port Batch version 2 freed (port-batch-v2-freed) are the
same as the keywords for Port Batch version 2 interim update (port-
batch-v2-interim-update, with the addition of the $ct-msg$ keyword to
log connection termination.
fixed-nat-interim-update
$src-ip$ Source IP
$nat-ip$ NAT IP
$nat-port-start$ First NAT port
$nat-port-end$ Last NAT port
page 310
Feedback

page 311
FeedbackF
Fee
e
page 312
page 313
CONTACT US
a10networks.com/contact
ACOS 4.1.1-P13 RELEASE NOTES 16 MARCH 2020

ACOS 4.1.1-P13 Release Notes: For A10 Thunder Series 16 March 2020

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACOS 4.1.1-P13 Release Notes: For A10 Thunder Series 16 March 2020

Uploaded by

Copyright:

Available Formats

ACOS 4.1.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Changes to Default Behavior ................................................................................................. 15

Viewing Resource Usage Statistics ........................................................................................................ 27

IP-anomaly Filtering ................................................................................................................................... 45

What’s New ............................................................................................................................ 51

ACOS 4.1.1-P7 New Features ................................................................................................66

RSA Custom Challenge Form ........................................................................................................... 85

WAF Policies File Size Limit Increase ............................................................................................100

Displaying or Clearing Firewall Helper Sessions .........................................................................113

Explicit Proxy Permission with AAM Policy ..................................................................................131

GSLB CNAME Load Balancing ........................................................................................................146

ACOS 4.x Platform Support Information .............................................................................. 157

Issues Fixed in ACOS 4.1.1 .................................................................................................. 163

Issues Fixed in Release 4.1.1-P12 .......................................................................................168

Known Issues in ACOS 4.1.1 ................................................................................................ 241

Limitations in ACOS 4.1.1 .................................................................................................... 263

IPv6 NAT for FTP Proxy ..........................................................................................................................268

Licensing and Upgrading to ACOS 4.1.1 .............................................................................. 277

Reverting to Your 2.7.2.x or 2.8.2.x Release .......................................................................................285

Additional Changes and Notes ............................................................................................ 301

Changes to Default Behavior

The following topics are covered in this chapter:

• Default Behavior Changes Between ACOS 4.1.1-P9 and ACOS 4.1.1-P10

• Default Behavior Changes Between ACOS 4.1.1-P3 and ACOS 4.1.1-P4

• Default Behavior Changes Between ACOS 4.1.1-P2 and ACOS 4.1.1-P3

• Default Behavior Changes Introduced in ACOS 4.1.1-P2

• Default Behavior Changes Between ACOS 4.1.x and ACOS 4.1.1

• Default Behavior Changes Between ACOS 4.1.0-P2 and ACOS 4.1.1

• Default Behavior Changes from ACOS 4.1.0-P2 to ACOS 4.1.0-P3

• Default Behavior Changes Between ACOS 4.1.0 and ACOS 4.1.0-P2

• Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0

• Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1

Default Behavior Changes Between ACOS 4.1.1-P9 and

• External Health Monitor Script Access

External Health Monitor Script Access

• import health-external – Import an external health monitor script file.

• health external edit – Opens an editor to modify an existing script.

• health external delete – Removes an existing script.

Default Behavior Changes Between ACOS 4.1.1-P3 and

• Support for Downgrading or Disabling the TLS or SSL Version

Support for Downgrading or Disabling the TLS or SSL Version

ACOS(config)# slb template client-ssl SSL

<30-33> TLS/SSL version: 30-SSLv3.0, 31-TLSv1.0, 32-TLSv1.1 and 33-TLSv1.2

Default Behavior Changes Between ACOS 4.1.1-P2 and

• aXAPI Configuration Field Name Changed From v3_req to v3-request

• aXAPI Configuration Flag Fields Modified in Schema for slb.template.client-ssl

Session Capacity of SLB Real Servers and Ports Increased to 64

(A10 Tracking ID 384415)

aXAPI Configuration Field Name Changed From v3_req to v3-request

(A10 Tracking ID 359359)

aXAPI Configuration Flag Fields Modified in Schema for

The following is a sample aXAPI request and response example:

Default Behavior Changes Introduced in ACOS 4.1.1-P2

• Default Enabled Cipher Suites Update

• NTP Server Default Ports Update

• Support for the Signature Algorithms List in the SSL/TLS Handshake

• Enabling Gateway Traps

• Global Monitoring Template Configuration

• Deprecated ipv4-list and ipv6-list Options for RADIUS Remote Server

• WAF Policy File Size Limit Increased to 10MB

• Deprecated ip-map-list Commands

• Deprecated License Option in the Import Command