A10 4.1.1-P8 Cli-Slb PDF

ACOS 4.1.
1-P8
Command Line Interface Reference for ADC
for A10 Thunder™ Series and AX™ Series
28 March 2018
© 2018 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.
A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Soft-
ware as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any
means
2. sublicense, rent or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-
tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-
ponents in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents
Overview .................................................................................................................................... 17
Config Commands: Server Load Balancing ................................................................................ 19

Global Configuration Mode SLB Commands ......................................................................20
slb common .................................................................................................................................. 20
slb resource-usage ...................................................................................................................... 21
slb server ........................................................................................................................................ 22
slb service-group .......................................................................................................................... 24
slb ssl-cert-revoke-stats sampling-enable .............................................................................. 24
slb ssl-expire-check email-address .......................................................................................... 26
slb ssl-expire-check exception .................................................................................................. 26
slb ssl-forward-proxy sampling-enable ................................................................................... 27
slb ssl-module ............................................................................................................................... 27
slb svm-source-nat pool ............................................................................................................. 28
slb template ................................................................................................................................... 28
slb transparent-acl-template ..................................................................................................... 29
slb transparent-tcp-template ..................................................................................................... 30
slb virtual-server ........................................................................................................................... 31
SLB Common Configuration Mode Commands..................................................................33
buff-thresh ..................................................................................................................................... 34
compress-block-size ................................................................................................................... 35
conn-rate-limit src-ip ................................................................................................................... 35
ddos-protection ............................................................................................................................ 37
ddos-protection logging .............................................................................................................. 37
ddos-protection packets-per-second ....................................................................................... 38
disable-adaptive-resource-check .............................................................................................. 38
disable-server-auto-reselect ...................................................................................................... 38
dns-cache-age .............................................................................................................................. 39
dns-cache-enable ......................................................................................................................... 40
dns-cache-entry-size ................................................................................................................... 42
dns-vip-stateless .......................................................................................................................... 42
drop-icmp-to-vip-when-vip-down .............................................................................................. 42
dsr-health-check-enable ............................................................................................................. 43
enable-l7-req-acct ........................................................................................................................ 43
extended-stats .............................................................................................................................. 44
fast-path-disable .......................................................................................................................... 44
gateway-health-check ................................................................................................................. 45
graceful-shutdown ....................................................................................................................... 46
honor-server-response-ttl ........................................................................................................... 46
hw-compression ........................................................................................................................... 47
page 3
ACOS 4.1.1-P8 Command Line Interface Reference for ADC for A10 Thunder Series
Contents
hw-syn-rr ........................................................................................................................................ 47
l2l3-trunk-lb-disable ..................................................................................................................... 48
max-buff-queued-per-conn ........................................................................................................ 48
max-http-header-count ............................................................................................................... 49
msl-time ......................................................................................................................................... 49
mss-table ....................................................................................................................................... 50
no-auto-up-on-aflex ..................................................................................................................... 50
rate-limit-logging .......................................................................................................................... 51
reset-stale-session ....................................................................................................................... 52
scale-out ........................................................................................................................................ 52
snat-gwy-for-l3 .............................................................................................................................. 52
snat-on-vip ..................................................................................................................................... 53
sort-res ........................................................................................................................................... 53
stats-data-disable ........................................................................................................................ 55
stateless-sg-multi-binding .......................................................................................................... 55
use-mss-tab .................................................................................................................................. 55
Config Commands: SLB Templates ............................................................................................ 57

slb template cache ...................................................................................................................... 58
slb template cipher ...................................................................................................................... 58
slb template client-ssl ................................................................................................................. 60
slb template connection-reuse .................................................................................................. 60
slb template dblb .......................................................................................................................... 62
slb template diameter ................................................................................................................. 62
slb template dns ........................................................................................................................... 65
slb template dynamic -service ................................................................................................... 68
slb template external-service ..................................................................................................... 69
slb template fix ............................................................................................................................. 71
slb template ftp ............................................................................................................................ 72
slb template http .......................................................................................................................... 73
slb template http-policy .............................................................................................................. 82
slb template imap-pop3 .............................................................................................................. 83
slb template logging .................................................................................................................... 84
slb template monitor ................................................................................................................... 85
slb template persist cookie ........................................................................................................ 86
slb template persist destination-ip ........................................................................................... 90
slb template persist source-ip ................................................................................................... 92
slb template persist ssl-sid ........................................................................................................ 95
slb template policy ....................................................................................................................... 96
slb template port .......................................................................................................................... 96
slb template reqmod-icap .......................................................................................................... 96
slb template respmod-icap ........................................................................................................ 96
slb template server ...................................................................................................................... 96
slb template server-ssl ................................................................................................................ 96
slb template sip (over UDP) ....................................................................................................... 97
slb template sip (over TCP/TLS) ............................................................................................... 97
slb template smpp ....................................................................................................................... 97
page 4
Contents
slb template smtp ........................................................................................................................ 97

slb template ssli ........................................................................................................................... 97
slb template tcp ............................................................................................................................ 97
slb template tcp-proxy ................................................................................................................ 97
slb template udp ........................................................................................................................... 97
slb template virtual-port .............................................................................................................. 97
slb template virtual-server .......................................................................................................... 97
Config Commands: SLB Cache Templates ................................................................................. 99

Global Configuration Commands ........................................................................................99
slb template cache ...................................................................................................................... 99
SLB Cache Template Configuration Mode Commands................................................... 101
accept-reload-req .......................................................................................................................101
age .................................................................................................................................................102
default-policy-nocache ..............................................................................................................102
disable-insert-age .......................................................................................................................103
disable-insert-via ........................................................................................................................103
max-cache-size ...........................................................................................................................103
max-content-size ........................................................................................................................104
min-content-size .........................................................................................................................104
policy .............................................................................................................................................104
remove-cookies ..........................................................................................................................105
replacement-policy LFU ............................................................................................................105
template logging ........................................................................................................................106
verify-host ....................................................................................................................................106
Config Commands: SLB Client SSL Templates ......................................................................... 107

Global Configuration Commands ..................................................................................... 107
slb template client-ssl ...............................................................................................................107
SLB Client SSL Template Configuration Mode Commands ............................................ 109
auth-username ........................................................................................................................... 111
auth-username-attribute ...........................................................................................................112
authorization ...............................................................................................................................113
ca-cert ...........................................................................................................................................113
cert ................................................................................................................................................114
chain-cert .....................................................................................................................................114
cipher ............................................................................................................................................115
client-certificate .......................................................................................................................... 116
client-certificate-Request-CA ...................................................................................................116
close-notify ..................................................................................................................................117
crl ...................................................................................................................................................117
dh-param ......................................................................................................................................118
disable-sslv3 ............................................................................................................................... 118
ec-name .......................................................................................................................................119
enable-tls-alert-logging fatal ....................................................................................................119
forward-proxy-alt-sign ...............................................................................................................120
page 5
Contents
forward-proxy-bypass ...............................................................................................................120
forward-proxy-ca-cert ................................................................................................................121
forward-proxy-ca-key .................................................................................................................122
forward-proxy-cache-persistence ........................................................................................... 122
forward-proxy-cert-cache .........................................................................................................123
forward-proxy-cert-expiry .........................................................................................................124
forward-proxy-cert-ext ...............................................................................................................124
forward-proxy-cert-not-ready-action ...................................................................................... 125
forward-proxy-cert-revoke-action ...........................................................................................125
forward-proxy-cert-unknown-action ....................................................................................... 125
forward-proxy-cert-validity .......................................................................................................126
forward-proxy-crl-disable .......................................................................................................... 126
forward-proxy-decrypted dscp ................................................................................................127
forward-proxy-enable ................................................................................................................128
forward-proxy-failsafe-disable .................................................................................................128
forward-proxy-inspect ...............................................................................................................128
forward-proxy-log-disable .........................................................................................................129
forward-proxy-ocsp-disable .....................................................................................................130
forward-proxy-selfsign-redir .....................................................................................................130
forward-proxy-source-nat .........................................................................................................130
forward-proxy-ssl-version .........................................................................................................131
forward-proxy-trusted-ca ..........................................................................................................132
forward-proxy-verify-cert-fail-action .......................................................................................132
hsm-param .................................................................................................................................. 133
key .................................................................................................................................................133
non-ssl-bypass ............................................................................................................................134
ocsp-stapling ...............................................................................................................................134
renegotiation-disable .................................................................................................................135
server-name ................................................................................................................................135
server-name-regex .....................................................................................................................135
session-cache-size ....................................................................................................................137
session-cache-timeout .............................................................................................................137
session-ticket-lifetime ...............................................................................................................137
ssl-false-start-disable ................................................................................................................138
sslv2-bypass ...............................................................................................................................139
template .......................................................................................................................................139
version ..........................................................................................................................................140
Config Commands: SLB Policy Templates ............................................................................... 141

slb template policy ..................................................................................................................... 141
SLB Policy Template Configuration Mode Commands ................................................... 144
bw-list id .......................................................................................................................................145
bw-list name ................................................................................................................................ 146
bw-list over-limit ......................................................................................................................... 146
bw-list timeout ............................................................................................................................ 147
page 6
Contents
bw-list use-destination-ip .........................................................................................................147

class-list .......................................................................................................................................148
forward-policy ............................................................................................................................. 149
geo-location full-domain-tree ...................................................................................................154
geo-location overlap ..................................................................................................................154
geo-location share ..................................................................................................................... 155
SLB Policy Template Class-List LID Configuration Commands ..................................... 155
action ............................................................................................................................................156
bw-rate-limit ................................................................................................................................157
conn-limit .....................................................................................................................................157
conn-rate-limit .............................................................................................................................158
over-limit-action ..........................................................................................................................158
request-limit ................................................................................................................................159
request-rate-limit ........................................................................................................................159
response-code-rate-limit ...........................................................................................................159
Config Commands: SLB Real Port Templates ........................................................................... 161

slb template port ........................................................................................................................161
SLB Port Template Configuration Mode Commands ...................................................... 162
bw-rate-limit ................................................................................................................................163
conn-limit .....................................................................................................................................164
conn-rate-limit .............................................................................................................................165
del-session-on-server-down .....................................................................................................165
dest-nat ........................................................................................................................................166
down-grace-period .....................................................................................................................166
dscp ..............................................................................................................................................167
dynamic-member-priority .........................................................................................................168
extended-stats ............................................................................................................................ 169
health-check ................................................................................................................................ 169
health-check-disable ..................................................................................................................170
inband-health-check ..................................................................................................................170
no-ssl ............................................................................................................................................171
request-rate-limit ........................................................................................................................ 171
slow-start .....................................................................................................................................172
source-nat ....................................................................................................................................173
stats-data-disable ...................................................................................................................... 173
stats-data-enable ....................................................................................................................... 174
weight ...........................................................................................................................................174
Config Commands: SLB REQMOD ICAP Templates .................................................................. 175

slb template reqmod-icap ........................................................................................................176
SLB REQMOD ICAP Template Configuration Mode Commands..................................... 176
allowed-http-methods ...............................................................................................................177
page 7
Contents
fail-close .......................................................................................................................................178
include-protocol-in-uri ...............................................................................................................178
min-payload-size ........................................................................................................................179
preview .........................................................................................................................................179
service-group ..............................................................................................................................180
service-url ....................................................................................................................................180
template .......................................................................................................................................181
Config Commands: SLB RESPMOD ICAP Templates ................................................................ 183

slb template respmod-icap ......................................................................................................184
SLB RESPMOD ICAP Template Configuration Mode Commands .................................. 185
fail-close .......................................................................................................................................185
include-protocol-in-uri ...............................................................................................................186
min-payload-size ........................................................................................................................186
preview .........................................................................................................................................186
service-group ..............................................................................................................................187
service-url ....................................................................................................................................187
template .......................................................................................................................................188
Config Commands: SLB Server Templates ............................................................................... 189

slb template server ....................................................................................................................189
SLB Server Template Configuration Mode Commands .................................................. 191
bw-rate-limit ................................................................................................................................192
bw-rate-limit-acct ....................................................................................................................... 192
conn-limit .....................................................................................................................................193
conn-rate-limit .............................................................................................................................194
dns-query-interval ......................................................................................................................195
dynamic-server-prefix ................................................................................................................195
extended-stats ............................................................................................................................ 195
health-check ................................................................................................................................ 196
log-selection-failure ...................................................................................................................196
max-dynamic-server ..................................................................................................................197
min-ttl-ratio ..................................................................................................................................197
slow-start .....................................................................................................................................198
spoofing-cache ...........................................................................................................................199
stats-data-enable .......................................................................................................................199
stats-data-disable ......................................................................................................................199
weight ...........................................................................................................................................200
Config Commands: SLB Server SSL Templates ........................................................................ 201

slb template server-ssl ..............................................................................................................202
page 8
Contents
SLB Server-SSL Template Configuration Mode Commands........................................... 204

ca-cert ...........................................................................................................................................204
cert ................................................................................................................................................205
cipher ............................................................................................................................................205
close-notify ..................................................................................................................................206
enable-tls-alert-logging fatal ....................................................................................................207
forward-proxy-enable ................................................................................................................207
key .................................................................................................................................................207
renegotiation-disable .................................................................................................................208
server-certificate-error ..............................................................................................................208
session-cache-size ....................................................................................................................209
session-cache-timeout .............................................................................................................209
session-ticket-enable ................................................................................................................210
template cipher ...........................................................................................................................210
use-client-sni ...............................................................................................................................210
version ..........................................................................................................................................211
Config Commands: SLB SIP Templates .................................................................................... 213

slb template sip (over UDP) .....................................................................................................213
slb template sip (over TCP/TLS) .............................................................................................214
SLB SIP (Over UDP) Template Configuration Mode Commands .................................... 215
alg-dest-nat .................................................................................................................................216
alg-source-nat .............................................................................................................................216
call-id-persist-disable .................................................................................................................216
client-request-header erase .....................................................................................................217
client-request-header insert .....................................................................................................217
client-response-header erase ..................................................................................................218
client-response-header insert ..................................................................................................218
dialog-aware ................................................................................................................................219
exclude-translation ....................................................................................................................219
insert-client-ip .............................................................................................................................220
keep-server-ip-if-match-acl ......................................................................................................220
registrar service-group ..............................................................................................................220
server-request-header erase ....................................................................................................221
server-request-header insert ....................................................................................................222
server-response-header erase .................................................................................................222
server-response-header insert .................................................................................................223
timeout .........................................................................................................................................224
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands ............................ 224
alg-dest-nat .................................................................................................................................225
alg-source-nat .............................................................................................................................225
call-id-persist-disable .................................................................................................................226
client-keepalive ...........................................................................................................................226
client-request-header erase .....................................................................................................227
client-request-header insert .....................................................................................................227
page 9
Contents
client-response-header erase ..................................................................................................228

client-response-header insert ..................................................................................................228
dialog-aware ................................................................................................................................229
exclude-translation ....................................................................................................................229
failed-client-selection ................................................................................................................229
failed-server-selection ...............................................................................................................230
insert-client-ip .............................................................................................................................231
server-keep-alive .........................................................................................................................231
server-request-header erase ....................................................................................................232
server-request-header insert ....................................................................................................232
server-response-header erase .................................................................................................233
server-response-header insert .................................................................................................233
server-selection-per-request ....................................................................................................234
smp-call-id-rtp-session .............................................................................................................234
timeout .........................................................................................................................................235
Config Commands: SLB SMPP Templates ............................................................................... 237

slb template smpp .....................................................................................................................237
SLB SMPP Template Configuration Mode Commands................................................... 238
client-enquire-link .......................................................................................................................238
server-enquire-link ......................................................................................................................238
server-selection-per-request ....................................................................................................239
user ...............................................................................................................................................239
Config Commands: SLB SMTP Templates ................................................................................ 241

slb template smtp ...................................................................................................................... 241
SLB SMTP Template Configuration Mode Commands ................................................... 242
client-domain-switching ...........................................................................................................243
command-disable ......................................................................................................................244
server-domain .............................................................................................................................245
service-ready-msg ......................................................................................................................245
starttls ..........................................................................................................................................246
Config Commands: SLB SSLi Templates .................................................................................. 247

slb template ssli ......................................................................................................................... 248
SLB SSLi Template Configuration Mode Commands...................................................... 249
type ...............................................................................................................................................249
Config Commands: SLB TCP Templates ................................................................................... 251

slb template tcp .......................................................................................................................... 251
page 10
Contents
SLB TCP Template Configuration Mode Commands ...................................................... 252

force-delete-timeout ..................................................................................................................253
force-delete-timeout-100ms ....................................................................................................254
half-close-idle-timeout ..............................................................................................................255
half-open-idle-timeout ...............................................................................................................255
idle-timeout .................................................................................................................................256
initial-window-size ......................................................................................................................256
insert-client-ip .............................................................................................................................257
lan-fast-ack ..................................................................................................................................257
qos .................................................................................................................................................258
reset-follow-fin ............................................................................................................................ 258
reset-fwd ......................................................................................................................................259
reset-rev .......................................................................................................................................259
Config Commands: SLB TCP Proxy Templates ......................................................................... 261

slb template tcp-proxy ..............................................................................................................261
SLB TCP Proxy Template Configuration Mode Commands............................................ 262
ack-aggressiveness ...................................................................................................................263
backend-wscale .......................................................................................................................... 264
dynamic-buffer-allocation ........................................................................................................265
fin-timeout ...................................................................................................................................265
force-delete-timeout ..................................................................................................................265
force-delete-timeout-100ms ....................................................................................................266
half-close-idle-timeout ..............................................................................................................267
half-open-idle-timeout ...............................................................................................................267
idle-timeout .................................................................................................................................268
init-cwnd .......................................................................................................................................268
initial-window-size ......................................................................................................................269
insert-client-ip .............................................................................................................................269
keepalive-interval ........................................................................................................................270
keepalive-probes ........................................................................................................................272
mss ...............................................................................................................................................272
nagle .............................................................................................................................................272
qos .................................................................................................................................................273
receive-buffer .............................................................................................................................. 273
reno ...............................................................................................................................................274
reset-fwd ......................................................................................................................................274
reset-rev .......................................................................................................................................274
retransmit-retries ....................................................................................................................... 275
syn-retries ....................................................................................................................................275
timewait .......................................................................................................................................276
transmit-buffer ............................................................................................................................ 276
page 11
Contents
Config Commands: SLB UDP Templates .................................................................................. 277

slb template udp .........................................................................................................................277
SLB UDP Template Configuration Mode Commands...................................................... 278
aging .............................................................................................................................................279
idle-timeout .................................................................................................................................280
qos .................................................................................................................................................280
re-select-if-server-down ............................................................................................................281
stateless-conn-timeout .............................................................................................................281
Config Commands: SLB Virtual Port Templates ....................................................................... 283

slb template virtual-port ............................................................................................................283
SLB Virtual Port Template Configuration Mode Commands .......................................... 285
aflow .............................................................................................................................................286
allow-syn-otherflags ..................................................................................................................287
allow-vip-to-rport-mapping .......................................................................................................287
conn-limit .....................................................................................................................................288
conn-rate-limit .............................................................................................................................289
drop-unknown-conn ..................................................................................................................289
dscp ..............................................................................................................................................290
ignore-tcp-msl ............................................................................................................................. 291
non-syn-initiation ........................................................................................................................291
pkt-rate-limit ................................................................................................................................292
reset-l7-on-failover .....................................................................................................................293
reset-unknown-conn ..................................................................................................................293
snat-msl .......................................................................................................................................293
snat-port-preserve ...................................................................................................................... 294
Config Commands: SLB Virtual Server Templates .................................................................... 295

Global Configuration Mode Commands ........................................................................... 295
slb template virtual-server ........................................................................................................ 295
SLB Virtual Server Template Configuration Mode Commands....................................... 296
conn-limit .....................................................................................................................................297
conn-rate-limit .............................................................................................................................298
icmp-rate-limit .............................................................................................................................299
icmpv6-rate-limit ........................................................................................................................300
subnet-gratuitous-arp ...............................................................................................................300
Config Commands: SLB Servers ............................................................................................... 301

alternate .......................................................................................................................................302
clear slb unused-server-ports ..................................................................................................302
conn-limit .....................................................................................................................................303
conn-resume ...............................................................................................................................304
disable ..........................................................................................................................................305
page 12
Contents
disable-with-health-check .........................................................................................................305
enable ...........................................................................................................................................306
extended-stats ............................................................................................................................306
external-ip ....................................................................................................................................307
health-check ................................................................................................................................307
ipv6 ................................................................................................................................................308
port ................................................................................................................................................308
slow-start .....................................................................................................................................311
spoofing-cache ...........................................................................................................................312
template server ...........................................................................................................................313
weight ...........................................................................................................................................314
Config Commands: SLB Service Groups ................................................................................... 315

backup-server-event-log ...........................................................................................................316
extended-stats ............................................................................................................................ 317
health-check ................................................................................................................................ 318
member ........................................................................................................................................319
method .........................................................................................................................................322
min-active-member ....................................................................................................................329
priority ..........................................................................................................................................330
priority-affinity .............................................................................................................................332
reset auto-switch ....................................................................................................................... 332
reset-on-server-selection-fail ...................................................................................................333
sample-rsp-time .........................................................................................................................333
strict-select ..................................................................................................................................334
template .......................................................................................................................................335
traffic-replication-type ...............................................................................................................336
Config Commands: SLB Virtual Servers ................................................................................... 339

arp-disable ...................................................................................................................................340
description ...................................................................................................................................340
disable ..........................................................................................................................................340
disable-when-all-ports-down ....................................................................................................341
disable-when-any-port-down ...................................................................................................341
enable ...........................................................................................................................................341
extended-stats ............................................................................................................................ 342
port ................................................................................................................................................343
redistribution-flagged ................................................................................................................345
template logging ........................................................................................................................346
page 13
Contents
template policy ...........................................................................................................................346

template scaleout ......................................................................................................................347
template virtual-server ..............................................................................................................347
vrid .................................................................................................................................................348
Config Commands: SLB Virtual Server Ports ............................................................................ 349

aaa-policy .....................................................................................................................................350
access-list ....................................................................................................................................350
aflex ...............................................................................................................................................352
alternate .......................................................................................................................................352
bucket-count ...............................................................................................................................353
clientip-sticky-nat .......................................................................................................................354
conn-limit .....................................................................................................................................354
def-selection-if-pref-failed ........................................................................................................355
def-selection-if-pref-failed-disable ..........................................................................................356
disable ..........................................................................................................................................356
enable ...........................................................................................................................................357
extended-stats ............................................................................................................................ 357
force-routing-mode ....................................................................................................................357
ha-conn-mirror ............................................................................................................................358
ip-map-list ....................................................................................................................................358
ipinip .............................................................................................................................................358
message-switching ....................................................................................................................359
name .............................................................................................................................................359
no-auto-up-on-aflex ...................................................................................................................359
no-dest-nat ..................................................................................................................................359
rate-limit-pr-log ...........................................................................................................................360
redirect-fwd .................................................................................................................................361
redirect-rev ...................................................................................................................................362
redirect-to-https .......................................................................................................................... 363
reset-on-server-selection-fail ...................................................................................................363
rtp-sip-call-id-match ...................................................................................................................363
service-group ..............................................................................................................................364
skip-rev-hash ...............................................................................................................................364
snat-on-vip ...................................................................................................................................365
source-nat auto ..........................................................................................................................365
source-nat pool ...........................................................................................................................366
syn-cookie ....................................................................................................................................367
template .......................................................................................................................................368
template virtual-port ..................................................................................................................369
use-default-if-no-server .............................................................................................................370
use-rcv-hop-for-resp ..................................................................................................................370
Config Commands: Health Monitors ........................................................................................ 373

disable-after-down .....................................................................................................................374
page 14
Contents
dsr-l2-strict ..................................................................................................................................374
interval ..........................................................................................................................................374
method .........................................................................................................................................375
override-ipv4 ................................................................................................................................385
override-ipv6 ................................................................................................................................385
override-port ................................................................................................................................386
passive .........................................................................................................................................386
retry ...............................................................................................................................................387
ssl-ciphers ...................................................................................................................................388
strictly-retry-on-server-error-response ...................................................................................389
up-retry .........................................................................................................................................389
Config Commands: Web Category ............................................................................................ 391

web-category ..............................................................................................................................391
SLB Show Commands .............................................................................................................. 397

show slb aflow ............................................................................................................................399
show slb attack-prevention ......................................................................................................399
show slb cache ...........................................................................................................................400
show slb compression ..............................................................................................................406
show slb connection-reuse ......................................................................................................406
show slb conn-rate-limit ...........................................................................................................407
show slb ddos-protection l4-entries .......................................................................................408
show slb ddos-protection statistics .......................................................................................409
show slb diameter ......................................................................................................................409
show slb fast-http-proxy ...........................................................................................................413
show slb fix ..................................................................................................................................414
show slb ftp .................................................................................................................................416
show slb ftp-proxy ..................................................................................................................... 416
show slb generic-proxy ............................................................................................................. 416
show slb geo-location ...............................................................................................................417
show slb http-proxy ...................................................................................................................418
show slb hw-compression .......................................................................................................420
show slb icap .............................................................................................................................. 421
show slb icap-http ...................................................................................................................... 424
show slb l4 ...................................................................................................................................425
show slb mssql ........................................................................................................................... 433
show slb mysql ........................................................................................................................... 435
show slb passthrough ...............................................................................................................436
show slb performance ..............................................................................................................437
show slb persist .........................................................................................................................438
show slb pop3-proxy .................................................................................................................440
show slb rate-limit-logging .......................................................................................................441
show slb resource-usage .........................................................................................................442
show slb server ...........................................................................................................................443
show slb service-group .............................................................................................................454
show slb sip .................................................................................................................................458
page 15
Contents
show slb smpp ........................................................................................................................... 459

show slb smtp ............................................................................................................................ 464
show slb spdy-proxy ..................................................................................................................466
show slb ssl .................................................................................................................................468
show slb ssl-cert-revoke-stats .................................................................................................471
show slb ssl-counters ...............................................................................................................473
show slb ssl-crl ...........................................................................................................................475
show slb ssl-expire-check ........................................................................................................477
show slb ssl-forward-proxy-cert ..............................................................................................477
show slb ssl-forward-proxy-stats ...........................................................................................480
show slb ssl-ocsp cache ..........................................................................................................480
show slb ssl-ocsp cache detail ...............................................................................................481
show slb switch .......................................................................................................................... 482
show slb syn-cookie ..................................................................................................................486
show slb syn-cookie-buffer ......................................................................................................486
show slb tcp stack .....................................................................................................................487
show slb template ......................................................................................................................488
show slb template policy forward-policy-stats ....................................................................489
show slb virtual-server ..............................................................................................................490
page 16
Overview
This reference lists the ACOS CLI commands that apply specifically to ADC features.
NOTE: For information about system-level commands or about using the CLI,
see the main Command Line Interface Reference guide.
page 17
page 18
Config Commands: Server Load Balancing
The commands in this chapter configure SLB parameters. In some cases, the commands create an
SLB configuration item and change the CLI to the configuration level for that item.
This chapter contains the following topics:
• Global Configuration Mode SLB Commands
• SLB Common Configuration Mode Commands
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are
described in the Command Line Interface Reference.
page 19
Global Configuration Mode SLB Commands

This section describes the SLB CLI commands that are available from global configuration mode:
• slb common
• slb resource-usage
• slb server
• slb service-group
• slb ssl-cert-revoke-stats sampling-enable
• slb ssl-expire-check email-address
• slb ssl-expire-check exception
• slb ssl-forward-proxy sampling-enable
• slb ssl-module
• slb svm-source-nat pool
• slb template
• slb transparent-acl-template
• slb transparent-tcp-template
• slb virtual-server
slb common
Description Access the SLB configuration level for system-wide SLB parameters.
Syntax slb common
This command changes the CLI to the SLB common configuration level for
system-wide SLB parameters, where the commands in “SLB Common
Configuration Mode Commands” on page 33 are available.
NOTE: Commands in SLB common configuration mode are only available in

the shared partition.
Mode Configuration mode
page 20
slb resource-usage
Description Change the capacity of an SLB resource.
Syntax [no] slb resource-usage resource-type
The following table lists the valid resource types and values.
Resource Type Description and Acceptable Values

client-ssl-template-count Maximum number of configurable client SSL templates (32-1024).
conn-reuse-template-count Maximum number of connection reuse templates (32-512).
fast-tcp-template-count Maximum number of configuration Fast TCP templates (32-512).
fast-udp-template-count Maximum number of configuration Fast UDP templates (32-512).
health-monitor-count Maximum number of health monitors (number depends on your sys-
tem)
http-template-count Maximum number of configurable HTTP templates (32-512).
nat-pool-addr-count Maximum number of source IP NAT pools (10-250).
pbslb-subnet-count Maximum number of PBSLB subnets in the system (number
depends on the amount of memory on your system).
persist-cookie-template-count Maximum number of persistent cookie templates (32-512).
persist-srcip-template-count Maximum number of persistent source IP templates (32-512).
proxy-template-count Maximum number of configurable proxy templates (32-512).
real-port-count Maximum number of real server ports (64-2048).
real-server-count Maximum number of real servers (32-1024).
server-ssl-template-count Maximum number of server SSL templates (32-1024).
service-group-count Maximum number of service groups (32-1024).
stream-template-count Maximum number of configurable streaming media templates (32-
512).
virtual-port-count Maximum number of virtual ports (32-1024).
virtual-server-count Maximum number of virtual servers (16-512).
Default The default maximum number for each type of system resource depends on
the specific device model. To display the defaults and current values for your
device, enter the show system resource-usage command.
Usage The maximum number you can configure depends on the resource type and
the specific ACOS device. To display the range of values that are valid for a
resource, enter a question mark instead of a quantity.
• For these SLB templates, the maximum is 256 each, and is not configu-
rable:
• SIP
• SMTP
page 21
• Policy (PBSLB)
• For RAM caching templates, the total number allowed is 128 each.
• The maximum number of health monitors is 1024 (not configurable).
• The total number of wildcard VIPs allowed is 200 and is not configu-
rable.
• For every type of system resource that has a default, the ACOS device
reserves one instance of the resource.
For example, the device allows 256 RAM caching templates. However,
the device reserves one RAM caching template for the default template,
which leaves a maximum of 255 additional RAM configurable caching
templates.
slb server
Description Configure a real server. Use the first command shown below in the example
to create or a delete a server. Use the second command to edit a server.
The “no” form of this command removes an existing real server.

Syntax [no] slb server server-name {ipaddr | hostname}
Parameter Description
server-name Server name, 1-63 characters.
After you have created a real server, you can use this command to rename the real
server.
hostname Fully-qualified hostname, for dynamic real server creation.
ipaddr IP address of the server (IPv4 or IPv6). Required only if you are creating a new server.
Default N/A
Usage This command creates a new or edits an existing real server and changes
the CLI to the server configuration level. (“Config Commands: SLB Servers”
on page 301).
A new real server is created, if required, by adding a server to a service group,

obviating the need to explicitly create a real server prior to adding it to a
service group.
The IP address of the server can be in either IPv4 or IPv6 format.

The maximum number of real servers is configurable. See “slb resource-
usage” on page 21.
Example The following example creates a new real server with an IPv4 address:
page 22
ACOS(config)# slb server rs1 10.10.10.99

ACOS(config-real server)#
page 23
Example The following example creates a new real server with an IPv6 address:
ACOS(config)# slb server rs2 2020:3e8::3

Example The following commands configure a hostname server for dynamic server
creation using DNS, add a port to it, and bind the server template to it.
To create the temp-server template, use the slb template server command.
ACOS(config)# slb server s-test1 s1.test.com
ACOS(config-real server)# template server temp-server
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
slb service-group
Description Configure an SLB service group.
Syntax [no] slb service-group group-name {tcp | udp}
group-name Name of the group, 1-127 characters.
tcp | udp Application type of the group.
Default There are no service groups configured by default.
Usage The normal form of this command creates a new or edits an existing service
group. The CLI changes to the configuration level for the service group. See
“Config Commands: SLB Service Groups” on page 315.
Example The following example adds TCP service group “my-service-group”:
ACOS(config)# slb service-group my-service-group tcp

ACOS(config-slb svc group)#
slb ssl-cert-revoke-stats sampling-enable

Description Enable the AXAPI to show sampled SSL revoked certificate statistics.
Syntax [no] slb ssl-cert-revoke-stats sampling-enable counter-type

ACOS(config)# slb ssl-cert-revoke sampling-enable ?
all all
ocsp_stapling_response_good OCSP stapling response good
page 24
ocsp_chain_status_good Certificate chain status good

ocsp_chain_status_revoked Certificate chain status revoked
ocsp_chain_status_unknown Certificate chain status unknown
ocsp_request OCSP requests
ocsp_response OCSP responses
ocsp_connection_error OCSP connection error
ocsp_uri_not_found OCSP URI not found
ocsp_uri_https Log OCSP URI https
ocsp_uri_unsupported OCSP URI unsupported
ocsp_response_status_good OCSP response status good
ocsp_response_status_revoked OCSP response status revoked
ocsp_response_status_unknown OCSP response status unknown
ocsp_cache_status_good OCSP cache status good
ocsp_cache_status_revoked OCSP cache status revoked
ocsp_cache_miss OCSP cache miss
ocsp_cache_expired OCSP cache expired
ocsp_other_error Log OCSP other errors
ocsp_response_no_nonce Log OCSP other errors
ocsp_response_nonce_error Log OCSP other errors
crl_request CRL requests
crl_response CRL responses
crl_connection_error CRL connection errors
crl_uri_not_found CRL URI not found
crl_uri_https CRL URI https
crl_uri_unsupported CRL URI unsupported
crl_response_status_good CRL response status good
crl_response_status_revoked CRL response status revoked
crl_response_status_unknown CRL response status unknown
crl_cache_status_good CRL cache status good
crl_cache_status_revoked CRL cache status revoked
crl_other_error CRL other errors
Default Not set
Example ACOS(config)# slb ssl-cert-revoke-stats sampling-enable
page 25
slb ssl-expire-check email-address

Description Configure email notification for certificate expiration.
Syntax [no] slb ssl-expire-check email-address address [...]

[before days] [interval days]
address Specifies the email addresses to which to send the notifica-
tions. You can specify up to 2 email addresses. Use a space
between them.
before days Specifies how many days before expiration to begin sending
notification emails. You can specify 1-60. The default is 5
days.
interval days Specifies how many days after expiration to continue sending
notification emails. You can specify 1-5. The default is 2 days.
Default Not set
Usage One notification is sent per day. If a certificate is updated before expiration or
at least before the configured interval, no more notification emails are sent
for that certificate.
Example The following command enables certificate notifications to be sent to email

address “[email protected]”. Expiration notifications are sent beginning
4 days before expiration and continue for 3 days after expiration.
ACOS(config)# slb ssl-expire-check email-address [email protected] before 4 interval 3
slb ssl-expire-check exception

Description Exclude specific certificates from expiration notification emails.
Syntax [no] slb ssl-expire-check exception

{add cert-name | delete cert-name | clean}
add cert-name Adds a certificate to the exception list.
delete cert-name Removes a certificate from the exception list.
clean Removes all certificates from the exception list.
Default Not set
page 26
slb ssl-forward-proxy sampling-enable

Description Enable sampling of SSL forward-proxy events for display in the GUI or for
query by the AXAPI.
Syntax [no] slb ssl-forward-proxy sampling-enable

{all | cert_create | cert_expr | cert_hit | cert_miss | conn_bypass
| conn_inspect}
all Enable sampling of all forward-proxy event types.
cert_create Enable sampling of the rate at which certificates are cre-
ated.
cert_expr Enable sampling of the rate at which created certificates
are expiring.
cert_hit Enable sampling of the rate at which certificate requests
match cached certificates.
cert_miss Enable sampling of the rate at which certificate requests
di not match cached certificates.
conn_bypass Enable sampling the rate that SSL sessions bypassed
inspection.
conn_inspect Enable sampling the rate that SSL sessions are
inspected.
Default Sampling of SSL forward-proxy statistics is disabled.
slb ssl-module
Description Disable the SSL acceleration module.
NOTE: This command only applies to virtual appliances and not to hard-
ware-based models.
Syntax [no] slb ssl-module software
Default SSL acceleration modules are enabled.
Usage This command applies only to add-on SSL acceleration modules, not to the
on-board SSL processors.
page 27
slb svm-source-nat pool

Description Configure the source-NAT pool used in OCSP verification of server certifi-
cates. SVM stands for Server Verification Module.
Syntax [no] slb svm-source-nat pool svm-pool-name
Default None
Mode Global Configuration Mode
slb template
Description Configure an SLB template.
Syntax [no] slb template template-type template-name
template-type Type of template. For a list, enter the following command: slb
template ?
(For information about SLB templates, see “Config Com-

mands: SLB Templates” on page 57.)
template-name Name of the template.
Default The templates have default settings, and some template types are automati-
cally added to a virtual port depending on its service type. For information,
see the Application Delivery and Server Load Balancing Guide.
Usage The normal form of this command creates a new or edits an existing tem-
plate. The CLI changes to the configuration level for the template. See “Con-
fig Commands: SLB Templates” on page 57.
The no form of this command removes an existing template.
The maximum number of templates is configurable. See “slb resource-

Example The following command creates a TCP-proxy template named “proxy1”:
ACOS(config)# slb template tcp-proxy proxy1

ACOS(config-tcp proxy)#
page 28
slb transparent-acl-template
Description Set the idle timeout value for ACL-related pass-through TCP sessions.
A pass-through TCP session is one that is not terminated by the ACOS

device (for example, a session for which the ACOS device is not serving as a
proxy for SLB).
Syntax [no] slb transparent-acl-template template-name
Replace template-name with the name of an existing TCP template (1-63

characters).
To create a TCP template, use the slb template tcp command.
Default The default idle timeout for pass-through TCP sessions is 30 minutes. The
default idle timeout in TCP templates is 120 seconds.
Usage Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300

seconds. This is true even if the idle timeout in the TCP template itself is set
to a higher value. Higher idle timeout values apply only to SLB sessions, not
to transparent sessions. This is because transparent sessions are stateless
and can be recreated if timed out.
Example The following command configures the default TCP template, setting the idle
timeout value to 15000 seconds. This template (and thus, idle timeout value)
are then applied to ACL-related pass-through TCP sessions:
ACOS(config)# slb template tcp default

ACOS(config-l4 tcp)# idle-timeout 15000
ACOS(config-l4 tcp)# exit
ACOS(config)# slb transparent-acl-template default
Related Commands slb template tcp, slb transparent-tcp-template
page 29
slb transparent-tcp-template
Description Set the idle timeout value for pass-through TCP sessions.
A pass-through TCP session is one that is not terminated by the ACOS

device (for example, a session for which the ACOS device is not serving as a
proxy for SLB).
Syntax [no] slb transparent-tcp-template template-name
Replace template-name with the name of an existing TCP template (1-63

characters).
To create a TCP template, use the slb template tcp command.
Default The default idle timeout for pass-through TCP sessions is 30 minutes. The
default idle timeout in TCP templates is 120 seconds.
Usage Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300

seconds. This is true even if the idle timeout in the TCP template itself is set
to a higher value. Higher idle timeout values apply only to SLB sessions, not
to transparent sessions. This is because transparent sessions are stateless
and can be recreated if timed out.
Example The following command configures the default TCP template, setting the idle
timeout value to 15000 seconds. This template (and thus, idle timeout value)
are then applied to pass-through TCP sessions:

ACOS(config)# slb transparent-tcp-template default
Related Commands slb template tcp, slb transparent-acl-template
page 30
slb virtual-server
Description Configure a virtual server.
Syntax [no] slb virtual-server name

[use-if-ip {ethernet num | loopback num}] |
[ipv6-addr [ipv6-acl acl-name]] |
[ipv4-addr [/mask-length | subnet-mask] acl acl-name]
name Virtual server name, 1-127 characters.
After you have created a virtual server, you can use this command to rename the virtual server
in order to associate this IP with a different name.
use-if-ip Use the IP address of the specified interface.
This option is used on vThunder systems only.

ipv6-addr IPv6 address of the virtual server.
If you are configuring an IPv6 wildcard VIP, enter :: as the IP address.
Use the acl acl-id option to specify IP addresses to be handled as wildcard VIPs. (For more
information, see the “Wildcard VIPs” chapter in the Application Delivery and Server Load Balanc-
ing Guide.)
After you have created a virtual server, you can use this command to change the IP address
associated with this name.
ipv4-addr IPv4 address of the virtual server.
If you are configuring a wildcard VIP, enter 0.0.0.0 as the IP address.
Use the acl acl-id option to specify IP addresses to be handled as wildcard VIPs. (For more
information, see “Wildcard VIPs” chapter in the Application Delivery and Server Load Balancing
Guide.)
After you have created a virtual server, you can use this command to change the IP address
associated with this name.
To configure a contiguous set of IPv4 VIPs, specify the subnet mask or mask length. The
specified ipv4-addr will be the starting IP address of this set of VIPs.
Default N/A
Usage The normal form of this command creates a new or edits an existing virtual
server. The CLI changes to the configuration level for the virtual server. See
“Config Commands: SLB Virtual Servers” on page 339.
The “no” form of this command removes an existing virtual server.
page 31
The maximum number of virtual servers is configurable. See “slb resource-

Notes on VIP Ranges
• The IP addresses in the specified subnet range can not belong to an IP

interface, real server, or other virtual server configured on the ACOS
device.
• The largest supported IPv4 subnet length is /16.
• Statistics are aggregated for all VIPs in the subnet virtual server.
• The current release supports this feature only for DNS ports on the
default DNS port number (TCP port 53 or UDP port 53).
Example The following command configures a new virtual server named “vs1”:
ACOS(config)# slb virtual-server vs1 10.10.2.1

ACOS(config-slb vserver)#
page 32
SLB Common Configuration Mode Commands

This section describes the CLI commands that are available from SLB common configuration mode.
To access this mode, use the slb common command from global configuration mode:
ACOS(config)# slb common

ACOS(config-common)#
Some commands in SLB common configuration mode are only available in the shared partition; com-
mands that are not available in L3V partitions are noted below.
The following commands are available:
• buff-thresh (not available in L3V partitions)
• compress-block-size
• conn-rate-limit src-ip
• ddos-protection
• ddos-protection logging
• ddos-protection packets-per-second
• disable-adaptive-resource-check (not available in L3V partitions)
• disable-server-auto-reselect (not available in L3V partitions)
• dns-cache-age
• dns-cache-enable
• dns-cache-entry-size
• dns-vip-stateless (not available in L3V partitions)
• drop-icmp-to-vip-when-vip-down (not available in L3V partitions)
• dsr-health-check-enable (not available in L3V partitions)
• enable-l7-req-acct
• extended-stats
• fast-path-disable (not available in L3V partitions)
• gateway-health-check (not available in L3V partitions)
• graceful-shutdown
• honor-server-response-ttl
• hw-compression
page 33
• hw-syn-rr (not available in L3V partitions)
• l2l3-trunk-lb-disable (not available in L3V partitions)
• max-buff-queued-per-conn (not available in L3V partitions)
• max-http-header-count (not available in L3V partitions)
• msl-time (not available in L3V partitions)
• mss-table (not available in L3V partitions)
• no-auto-up-on-aflex
• rate-limit-logging
• reset-stale-session
• scale-out
• snat-gwy-for-l3
• snat-on-vip
• sort-res
• stats-data-disable (not available in L3V partitions)
• stateless-sg-multi-binding
• use-mss-tab
buff-thresh
Description Fine-tune thresholds for SLB buffer queues.
CAUTION: Do not use this command except under advisement from A10 Net-
works.
Syntax [no] buff-thresh

hw-buff num
relieve-thresh num
sys-buff-low num
sys-buff-high num
hw-buff num IO buffer threshold. For each CPU, if the number of queued entries
in the IO buffer reaches this threshold, fast aging is enabled and no
more IO buffer entries are allowed to be queued on the CPU’s IO
buffer.
relieve-thresh num Threshold at which fast aging is disabled, to allow IO buffer entries
to be queued again.
page 34
sys-buff-low num Threshold of queued system buffer entries at which ACOS begins
refusing new incoming connections.
sys-buff-high num Threshold of queued system buffer entries at which the ACOS
device drops a connection whenever a packet is received for that
connection.
Default N/A
Mode SLB common configuration mode
compress-block-size
Description Change the default compression block size used for SLB.
Syntax [no] compress-block-size bytes
The bytes option specifies the default compression block size, 6000-32000
bytes.
Description The default is 16000.
Default 16000
Example The following example sets the compression block size to 16000 bytes:

ACOS(config-common)# compress-block-size 16000
conn-rate-limit src-ip
Description Configure source-IP based connection rate limiting.
All connection requests in excess of the connection limit that are received
from a client within the limit period are dropped. This action is enabled by
default when you enable the feature, and can not be disabled.
NOTE: For configuring connection rate limits on IPv6 traffic, use class lists.
For more information, see “class-list” in the Command Line Interface
Reference and “Understanding Class Lists” in the DDoS Mitigation
Guide for ADC.
page 35
Syntax [no] conn-rate-limit src-ip {tcp | udp} conn-limit per {100 | 1000}
[shared] [exceed-action [log] [lock-out lockout-period]]
tcp | udp Specifies the Layer 4 protocol for which the filter applies.
conn-limit Specifies the connection limit. The connection limit is the maximum number of con-
nection requests allowed from a client, within the limit period. You can specify 1-
1000000 (one million).
per {100 | 1000} Specifies the limit period, The limit period is the interval to which the connection limit
is applied. A client is conforming to the rate limit if the number of new connection
requests within the limit period does not exceed the connection limit. You can spec-
ify 100 milliseconds or 1000 milliseconds.
shared Specifies that the connection limit applies in aggregate to all virtual ports. If you omit
this option, the limit applies separately to each virtual port.
exceed-action Enables optional exceed actions:
• log - Enables logging. Logging generates a log message when a client exceeds the
connection limit.
• lock-out lockout-period - Locks out the client for a specified number of sec-
onds. During the lockout period, all connection requests from the client are
dropped. The lockout period can be 1-3600 seconds (1 hour). There is no default.
Example The following commands allow up to 1000 connection requests per one-sec-
ond interval from any individual client. If a client sends more than 1000
requests within a given limit period, the client is locked out for 3 seconds.
The limit applies separately to each individual virtual port. Logging is not
enabled.

ACOS(config-common)# conn-rate-limit src-ip tcp 1000 per 1000 exceed-action lock-out 3
Example The following commands allow up to 2000 connection requests per 100-mil-
lisecond interval. The limit applies to all virtual ports together. Logging is
enabled but lockout is not enabled.

ACOS(config-common)# conn-rate-limit src-ip tcp 2000 per 100 shared exceed-action log
Example These commands allow up to 2000 connection requests per 100-millisec-

ond interval. The limit applies to all virtual ports together. Logging is enabled
and lockout is enabled. If a client sends more than 2000 requests within a
given limit period, to one or more virtual ports, the client is locked out for 3
seconds.

ACOS(config-common)# conn-rate-limit src-ip tcp 2000 per 100 shared exceed-action log lock-
out 3
page 36
ddos-protection
Description Enables hardware blocking of VIP traffic that is addressed to an unconfig-
ured virtual port.
Syntax ddos-protection {enable | disable}
enable | disable Enables or disables hardware blocking of VIP traffic. Default value is disable.
Default disabled
Example This example enables hardware blocking of traffic to unconfigured virutal

ports.

ACOS(config-common)# ddos-protection enable
ddos-protection logging
Description Enables logging of VIP traffic hardware blocking events.
Syntax ddos-protection logging {enable | disable}
enable | disable Enables or disables hardware blocking. Default value is enable .
Default enabled
Example This example disables the logging of hardware blocking of traffic to uncon-
figured virutal ports.

ACOS(config-common)# ddos-protection logging disable
page 37
ddos-protection packets-per-second
Description Enables logging of VIP traffic hardware blocking events.
Syntax ddos-protection packets-per-second {tcp | udp} packet-rate
tcp | udp Specifies the data type of traffic affected by command.
packet-rate Specifies data rate on virtual port that triggers hardware blocking. Value ranges from
0 to 65535. Default value is 200.
Default 200 packets per second for TCP or UDP traffic
Example This example sets the device to begin hardward blocking for any unconfig-
ured TCP ports that exceed 1000 packets per second.

ACOS(config-common)# ddos-protection enable
ACOS(config-common)# ddos-protection packets-per-second tcp 1000
disable-adaptive-resource-check
Description In cases where data packets smaller than a pre-configured size limit are
received, HTTP sessions may be deleted when the number of such packets
received exceeds a pre-defined threshold. This is the default behavior on an
ACOS device.
The disable-adaptive-resource-check command disables the default

behavior.
Syntax [no] disable-adaptive-resource-check
Default Adaptive resource checking is enabled by default.
disable-server-auto-reselect
Description Stop the ACOS device from automatically reselecting a lower priority server
until a server with a higher priority is marked as Down or Disabled.
This is commonly used with inband health monitors.
Syntax [no] disable-server-auto-reselect
Default Server auto-reselection is enabled by default.
page 38
Usage When server priority is configured, the ACOS device sends all traffic to the
highest priority server, until that server starts responding slowly or meets
other negative conditions. This feature stops the ACOS device from auto-
matically reselecting a lower priority server until a server with a higher prior-
ity is marked as Down or Disabled.
When a Data CPU reaches 70%, slb disable-server-auto-reselect will

automatically activate and can be seen in the running config. When the Data
CPU goes back down below 50% it will remove itself.
Example Enable the feature.

ACOS(config-common)# disable-server-auto-reselect
dns-cache-age
Description Configure the amount of time the ACOS device locally caches DNS replies.
DNS cache aging is applicable only when DNS caching is enabled, using the
dns-cache-enable command.
Syntax [no] slb dns-cache-age seconds [honor-server-response-ttl]
Syntax [no] slb dns-cache-age honor-server-response-ttl
seconds Number of seconds the ACOS device caches DNS replies. You can specify
1-1000000 seconds.
NOTE: A DNS reply begins aging as soon as it is cached and continues

aging even if the cached reply is used after aging starts. Use of a
cached reply does not reset the age of that reply.
Default 300
The DNS cache TTL is calculated as follows:

1. If only the TTL is specified, then the specified TTL is used as DNS cache
TTL.
2. If only the honor-server-response-ttl is enabled, then the TTL in server
response will be used as DNS cache TTL.
3. If the TTL is specified and honor-server-response-ttl is enabled, the
minimum TTL between the specified TTL and server response TTL is
used as DNS cache TTL.
page 39
4. If the TTL is not specified and honor-server-response-ttl is not

enabled, the default value (300 seconds) will be used as DNS cache TTL.
NOTE: Server response TTL is the minimum TTL of all resource records in
that response.
Example This example configures the ACOS device to cache DNS replies for 300 sec-
onds.

ACOS(config-common)# dns-cache-age 300
Example This example configures the age of global DNS cache to be the minimum
value between 600 seconds and the server response TTL:

ACOS(config-common)# honor-server-response-ttl
Example This example configures the age of the global DNS cache to be 600 seconds:
Example This command configures the server response TTL to be used as the global
DNS cache TTL:
ACOS(config-common)# dns-cache-age
dns-cache-enable
Description Globally enable caching of replies to DNS queries.
Syntax [no] dns-cache-enable
[
round-robin [ttl-threshold seconds] |
single-answer [ttl-threshold seconds] |
ttl-threshold seconds
]
round-robin For DNS replies that contain multiple IP addresses in the ANSWER
section, the ACOS device rotates the addresses when replying to
client requests. The DNS transaction ID (which is random) is used
to assist in the round-robin. This behavior is better for heavy traffic,
but the side effect is that it will not strictly follow the round-robin.
single-answer Caches only replies that have one IP address in the ANSWER sec-
tion.
ttl-threshold second Specifies the minimum Time-To-Live (TTL) a reply from the DNS
server must have, in order for the ACOS device to cache the reply.
You can specify 1-10000000 seconds.
page 40
Default DNS caching is disabled by default. Disabled. When you globally enable DNS
caching, the round-robin and single-answer options are disabled by default.
The default TTL threshold is 0 (unset).
Usage When DNS caching is enabled, the ACOS device sends the first request for a
given name (hostname, fully-qualified domain name, URL, and so on) to the
DNS server. The ACOS device caches the reply from the DNS server, and
sends the cached reply in response to the next request for the same name.
The ACOS device continues to use the cached DNS reply until the reply times
out. After the reply times out, the ACOS device sends the next request for
that URL to the DNS server, and caches the reply, and so on.
Enabling the single-answer option prevents the caching of DNS replies that
have multiple IP addresses. For example, if a DNS response to a query for
“www.example1.com” and the DNS reply has only one IP address (1.1.1.1),
then the reply will be cached on the ACOS device. However, if the DNS
response to a query for “www.example2.com” has two IP addresses (2.2.2.2
and 3.3.3.3), then the entry would not be cached on the ACOS device.
If the ttl-threshold option is configured on the ACOS device, then DNS replies
will only be cached if they have a TTL value that is larger than the TTL
threshold configured on the ACOS device. This prevents the ACOS device
from caching DNS entries that will expire shortly thereafter.
For example, if the ACOS device’s TTL threshold is set to 7200 seconds and
the ACOS device receives a DNS response for a domain with a TTL of only 10
seconds, there would be little benefit in caching that DNS reply, since it will
soon expire. Despite the cached information, subsequent client requests for
that same domain would bypass the “stale” information cached on the ACOS
device to perform another DNS lookup just 10 seconds later.
DNS caching applies only to DNS requests sent to a UDP virtual port in a
DNS SLB configuration. DNS caching is not supported for DNS requests sent
over TCP.
Example The following example enables DNS caching on the ACOS device with all the
default values.

ACOS(config-common)# dns-cache-enable
page 41
dns-cache-entry-size
Description Set the maximum size in bytes for DNS cache entries.
Syntax [no] dns-cache-entry-size num
Replace num with the desired DNS cache entry size, in bytes (1 - 4096).
Default 256
Example The following example sets the DNS cache entry size to 3600 bytes:

ACOS(config-common)# dns-cache-entry-size 3600
dns-vip-stateless
Description This command causes the ACOS device to use round-robin to load balance
DNS stateless traffic to CPU threads.
NOTE: This command is only available on FTA-enabled platforms.
Syntax [no] dns-vip-stateless
Example Enable this feature:

ACOS(config-common)# dns-vip-stateless
drop-icmp-to-vip-when-vip-down
Description When a virtual IP is down it can still respond to ping (ICMP_ECHO) requests.
With this enabled, a virtual IP that is down will not respond to ping requests.
Syntax [no] drop-icmp-to-vip-when-vip-down
page 42
dsr-health-check-enable
Description Enable health checking of the virtual server IP addresses instead of the real
server IP addresses in Direct server Return (DSR) configurations.
This feature requires configuration of a Layer 3 health method (ICMP), with

the transparent option enabled, and the alias address set to the virtual IP
address. (See method.) The health monitor must be applied to the real server
ports.
Syntax [no] dsr-health-check-enable
Default Health checking is disabled by default.
Example The following commands configure a Layer 3 health monitor for DSR health
checking, apply it to the real server ports, and enable DSR health checking:
ACOS(config)# health monitor dsr-hm

ACOS(config-health:monitor)# method icmp transparent 10.10.10.99
ACOS(config-health:monitor)# exit
ACOS(config-common)# dsr-health-check-enable
enable-l7-req-acct
Description Globally enable Layer 7 request accounting.
When using the least-request load-balancing method in a service group,

Layer 7 request accounting is automatically enabled for the service group’s
members, and for the virtual service ports that are bound to the service
group’s members.
To display Layer 7 request statistics, use the show slb service-group

command. See show slb server, show slb service-group, and show slb
virtual-server.
Syntax [no] enable-l7-req-acct
Default Disabled by default.
Example The example below shows how to enable Layer 7 request accounting.

ACOS(config-common)# enable-l7-rreq-acct
page 43
extended-stats
Description Globally enable collection of extended SLB statistics, including peak connec-
tion statistics.
Syntax [no] extended-stats
Example This example shows how to enable the collection of extended SLB statistics.

ACOS(config-common)# extended-stats
fast-path-disable
Description Disable fast-path packet inspection.
Fast processing of packets maximizes performance by using all underlying

hardware assist facilities. Typically, the feature should remain enabled. The
disable option is provided only for troubleshooting, in case it is suspected
that the fast processing logic is causing an issue. If you disable fast-path
processing, ACOS does not perform a deep inspection of every field within a
packet.
Syntax [no] fast-path-disable
Default Enabled by default.
Mode SLB common configuration mode.
Example The example below shows how to disable fast-path packet inspection.

ACOS(config-common)# fast-path-disable
page 44
gateway-health-check
Description Enables gateway health monitoring.
Syntax [no] gateway-health-check [interval seconds [timeout seconds]]
interval second Specifies time period between health check attempts, 1-180 sec-
onds.
The default interval is 5 seconds.

timeout seconds Specifies how long the ACOS device waits for a reply to any of the
ARP requests, 1-360 seconds.
The default timeout is 15 seconds.
Default See descriptions.
Usage Gateway health monitoring uses ARP to test the availability of nexthop
gateways. When the ACOS device needs to send a packet through a gate-
way, the ACOS device begins sending ARP requests to the gateway.
• If the gateway replies to any ARP request within a configurable timeout,
the ACOS device forwards the packet to the gateway.
• The ARP requests are sent at a configurable interval. The ACOS device
waits for a configurable timeout for a reply to any request. If the gate-
way does not respond to any request before the timeout expires, the
ACOS device selects another gateway and begins the health monitoring
process again.
Example The following example enables gateway health monitoring. Health check
attempts will be made every 10 seconds, with a reply timeout of 20 seconds.

ACOS(config-common)# gateway-health-check interval 10 timeout 20
page 45
graceful-shutdown
Description Provides time for active sessions to terminate normally before closing a ser-
vice after deleting or disabling the real or virtual server or port providing the
service.
Syntax [no] graceful-shutdown grace-period

[server | virtual-server] [after-disable]
grace-period Number of seconds existing connections on a disabled or deleted
server or port are allowed to remain up before being terminated.
You can specify 1-65535 seconds.
server Limits the graceful shutdown to real servers only.
virtual-server Limits the graceful shutdown to virtual servers only.
after-disable Applies graceful shutdown to disabled servers and service ports,
as well as deleted servers. Without this option, graceful shutdown
applies only to deleted servers.
Default Graceful shutdown is disabled by default. When you delete a real or virtual
service port, the ACOS device places all the port’s sessions in the delete
queue, and stops accepting new sessions on the port.
Usage When graceful shutdown is enabled, the ACOS device stops accepting new
sessions on a disabled or deleted port, but waits for the specified grace
period before moving active sessions to the delete queue.
Example These commands enable graceful shutdown with a grace period of one hour:

ACOS(config-common)# graceful-shutdown 3600
honor-server-response-ttl
Description TTL in server response is used as DNS cache TTL.
Syntax [no] honor-server-response-ttl
Example The following example configures the ACOS device to cache DNS replies for
300 seconds.

page 46
hw-compression
Description Enable hardware-based HTTP compression.
Syntax [no] hw-compression
Usage Hardware-based compression is available using an optional hardware mod-

ule on select platforms. For more information, see “Hardware-Based Com-
pression” in the Application Delivery and Server Load Balancing Guide.
Example The following example enables hardware-based HTTP compression.

ACOS(config-common)# hw-compression
hw-syn-rr
Description Enable distribution of client SYNs across multiple CPUs. This feature pro-
tects against CPU overload due to SYN floods, a common symptom of DDoS
attacks.
Syntax [no] hw-syn-rr conn-num
The conn-num option specifies the maximum number of connection requests

(TCP SYNs) allowed from the same client (1-500000). If this threshold is
exceeded, ACOS begins using all the CPUs for processing the SYNs.
Usage Only the control CPU is used for SYN processing.
When the conn-num threshold is exceeded, ACOS begins distributing the

SYNs to the CPUs in round-robin fashion. The control CPU and all data CPUs
are used.
Example The following example enables distribution of client SYNs across multiple
CPUs, using 250,000 TCP SYNs as the threshold.

ACOS(config-common)# hw-syn-rr 250000
page 47
l2l3-trunk-lb-disable
Description Disable or re-enable trunk load balancing.
Syntax [no] l2l3-trunk-lb-disable
Default Enabled by default.
Usage When trunk load balancing is enabled, the ACOS device load balances
outbound Layer 2/3 traffic among all the ports in a trunk. The round-robin
method is used to load balance the traffic. For example, in a trunk containing
ports 1-4, the first Layer 2/3 packet is sent on port 1. The second packet is
sent on port 2. The third packet is sent on port 3, and so on.
If you disable trunk load balancing, the lead port will always used for
outbound traffic, and the other ports will act as standby ports in case the
lead port goes down.
Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by
default. However, the CLI provides a command to disable trunk load
balancing, in case there is a need to do so. Disabling trunk load balancing
causes the ACOS device to use only the lead port for outbound traffic.
NOTE: Note: Trunk load balancing does not apply to Layer 4-7 traffic.
Example The following commands disable trunk load balancing.

ACOS(config-common)# l2l3-trunk-lb-disable
max-buff-queued-per-conn
Description Set the maximum buffer threshold per connection.
Syntax [no] max-buff-queued-per-conn buffer-value
Specify the desired buffer-value (128-4096).
Example The following commands set the maximum buffer value per connection to
1024:

ACOS(config-common)# max-buff-queued-per-conn 1024
page 48
max-http-header-count
Description Configure the number of headers supported in an HTTP request.
Syntax [no] max-http-header-count num
Replace num with the maximum number of HTTP headers supported within a
request (90-255).
Default 90
Example The following commands configure 90 as the number of headers supported

in an HTTP request.

ACOS(config-common)# max-http-header-count 90
msl-time
Description Configure the maximum session life for client sessions. The maximum ses-
sion life controls how long the ACOS device maintains a session table entry
for a client-server session after the session ends.
Syntax [no] msl-time seconds
The seconds option specifies the number of seconds a client session can
remain in the session table after session completion. You can specify 1-40
seconds.
Default 2 seconds
Usage The maximum session life allows time for retransmissions from clients or
servers, which can occur if there is an error in a transmission. If a retrans-
mission occurs while the ACOS device still has a session entry for the ses-
sion, the ACOS device is able to forward the retransmission. However, if the
session table entry has already aged out, the ACOS device drops the retrans-
mission instead.
Maximum session life begins aging out a session table entry when the
session ends:
• TCP – The session ends when the ACOS device receives a TCP FIN
from the client or server.
• UDP – The session ends after the ACOS device receives a server
response to the client’s request. If the reply is fragmented, the maxi-
mum session life begins only after the last fragment is received.
page 49
NOTE: For UDP sessions, the maximum session life is used only if UDP
aging is set to short, instead of immediate. UDP aging is set in the
UDP template bound to the UDP virtual port. The default setting is
short.
Example The following commands configure a maximum session life of 10 seconds.

ACOS(config-common)# msl-time 10
mss-table
Description Configure the TCP Maximum Segment Size (MSS) allowed for client traffic.
This command globally changes the MSS. You also can change the MSS in
individual TCP-proxy templates. (See slb template tcp-proxy.)
Syntax [no] mss-table num
The num option specifies maximum MSS allowed in traffic from clients. You
can specify 128-750.
Default 538
Usage Clients who can only transmit TCP segments that are smaller than the MSS
are unable to reach servers.
Example The following commands configure a TCP MSS of 256.

ACOS(config-common)# mss-table 256
no-auto-up-on-aflex
Description Prevent the health status of virtual ports that are bound to aFleX scripts
from being automatically marked Up.
Syntax [no] no-auto-up-on-aflex
Default This option is disabled by default. Virtual ports that are bound to aFleX
scripts are automatically marked Up.
Example The following commands prevent the health status of virtual ports that are
bound to aFleX scripts from being automatically marked Up.
page 50
ACOS(config-common)# no-auto-up-on-aflex
rate-limit-logging
Description Configure rate limiting settings for system logging.
Syntax [no] rate-limit-logging

[max-local-rate msgs-per-second]
[max-remote-rate msgs-per-second]
[exclude-destination {local | remote}]
max-local-rate Specifies the maximum number of messages per second that can be sent to the
msgs-per-second local log buffer. You can specify 1-100. The default is 32 messages per second.
max-remote-rate Specifies the maximum number of messages per second that can be sent to
msgs-per-second remote log servers. You can specify 1-1,000,000. The default is 15000 messages
per second.
exclude-destination Excludes logging to the specified destination, local or remote. By default, logging
to both destinations is enabled.
Usage Log rate limiting is enabled by default and can not be disabled. The con-
figurable settings have the default values as described in the table above.
The log rate limiting mechanism works as follows:

• If the number of new messages within a one-second interval exceeds
the internal maximum (32 by default), then during the next one-second
interval, ACOS sends log messages only to the external log servers.
• If the number of new messages generated within the new one-second
interval is the internal maximum or less, then during the following one-
second interval, ACOS will again send messages to the local logging
buffer as well as the external log server.
• In any case, all messages (up to the external maximum) are sent to the
external log servers.
Example The following commands increase the maximum number of log messages
per second sent to remote log servers:

ACOS(config-common)# rate-limit-logging max-remote-rate 30000
page 51
reset-stale-session
Description Send reset if a session in the delete queue receives a SYN packet.
Syntax [no] reset-stale-session
Example The following command enables this feature.

ACOS(config-common)# reset-stale-session
scale-out
Description Enable the Scaleout feature for SLB.
For more information, see the Configuring Scaleout guide.
Syntax [no] scale-out
Default Not enabled.
snat-gwy-for-l3
Description Use an IP pool’s default gateway to forward traffic from a real server.
When this feature is enabled, ACOS checks the server IP subnet against the
IP NAT pool subnet. If they are on the same subnet, then ACOS uses the
gateway as defined in the IP NAT pool for Layer 2 / Layer 3 forwarding. This
feature is useful if the server does not have its own upstream router and
ACOS can leverage the same upstream router for Layer 2 / Layer 3.
Syntax [no] snat-gwy-for-l3
Example The following commands enable traffic forwarding using an IP pool’s default
gateway.

ACOS(config-common)# snat-gwy-for-l3
page 52
snat-on-vip
Description Globally enable IP NAT support for VIPs.
Syntax [no] snat-on-vip
Usage Source IP NAT can be configured on a virtual port in the following ways:
• ACL-based source NAT (access-list command at virtual port level)
• VIP source NAT (slb snat-on-vip command at Configuration mode level)
• aFleX policy (aflex command at virtual port level)
• Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source
NAT is configured using an ACL on the virtual port, and the slb snat-on-vip
command is also used, then a pool assigned by the ACL is used for traffic
permitted by the ACL. For traffic not permitted by the ACL, VIP source NAT
can be used instead.
The current release does not support source IP NAT on FTP or RTSP virtual
ports.
Example The following commands enable IP NAT support for VIPs.

ACOS(config-common)# snat-on-vip
sort-res
Description Enable the sort display option for SLB configuration. When this option is ena-
bled, SLB resources in the configuration are listed in alphabetical order.
The sort feature takes effect only after you configure at least one SLB
resource, after you enable the sort feature. Before you configure at least one
new SLB resource, the SLB resources still appear in the order they were
configured.
Syntax [no] sort-res
Default This option is disabled by default. With this default behavior, SLB resources
of a specific type appear in the order they are configured.
Example The following command displays the configured SLB servers, before the sort
option is enabled and activated:
page 53
ACOS(config-common)# show running-config | include slb server

slb server ee 5.5.5.5
slb server rs20_10 20.20.20.10
slb server Server07 110.20.20.20
slb server MSSQLServer02 110.13.13.21
slb server srv266 10.10.100.10
slb server rs_http 10.1.2.10
slb server ldap-sr 172.16.2.10
slb server s1 20.20.20.30
slb server woo 10.10.99.99
slb server o1 10.10.10.5
slb server http1 20.20.25.10
These commands enable the sort option, configure a new SLB server, and
display the configured SLB servers. The slb server commands are
alphabetically sorted.
ACOS(config-common)# sort-res
ACOS(config-common)# exit
ACOS(config)# slb server s88 4.3.3.3
ACOS(config-real server-node port)# show run | include slb server
slb server MSSQLServer02 110.13.13.21
slb server ee 5.5.5.5
slb server fsort2 4.3.9.58
slb server fsort88 4.3.9.55
slb server ldap-sr 172.16.2.10
slb server o1 10.10.10.5
slb server rs20_10 20.20.20.10
slb server rs_http 10.1.2.10
slb server woo 10.10.99.99
slb server zsort2 4.3.3.9
ACOS(config-real server-node port)#
page 54
stats-data-disable
Description Globally disables periodic collection of statistical data for system resources,
including CPU, memory, disks and interfaces.
Syntax [no] stats-data-disable
Default Disabled (statistics collection is enabled)
Example The following commands globally disable statistics collection for system
resources.

ACOS(config-common)# stats-data-disable
stateless-sg-multi-binding
Description Globally enables the device to allow the binding of stateless service groups
by multiple virtual ports or virtual servers.
After a stateless service group is bound to multiple entities, this command

can be deleted only after all multiple binding instances are removed.
Syntax [no] stateless-sg-multi-binding
Default Disabled
Example The following commands enable the binding of stateless service groups to
multiple virtual ports or servers.

ACOS(config-common)# stateless-sg-multi-binding
use-mss-tab
Description Configure ACOS to base the MSS in replies from VIPs to clients on the inter-
face MTU and MSS value received from clients in SYNs.
Syntax [no] use-mss-tab
page 55
page 56
Config Commands: SLB Templates
This chapter describes the commands and subcommands for configuring SLB configuration tem-
plates.
The following SLB template commands are available:
• slb template cache
• slb template cipher
• slb template client-ssl
• slb template connection-reuse
• slb template dblb
• slb template diameter
• slb template dns
• slb template dynamic -service
• slb template external-service
• slb template fix
• slb template ftp
• slb template http
• slb template http-policy
• slb template imap-pop3
• slb template logging
• slb template monitor
• slb template persist cookie
• slb template persist destination-ip
• slb template persist source-ip
• slb template persist ssl-sid
• slb template policy
• slb template port
• slb template reqmod-icap
page 57
• slb template respmod-icap
• slb template server
• slb template server-ssl
• slb template sip (over UDP)
• slb template sip (over TCP/TLS)
• slb template smpp
• slb template smtp
• slb template ssli
• slb template tcp
• slb template tcp-proxy
• slb template udp
• slb template virtual-port
• slb template virtual-server
To apply a template to a virtual port, use the template command at the configuration level for the virtual
port.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other
types of templates are used as applicable.
slb template cache

Description See “Config Commands: SLB Cache Templates” on page 99.
slb template cipher

Description Configure a template of SSL cipher settings for binding to Client-SSL and
Server-SSL templates.
Syntax [no] slb template cipher template-name
template-name Name of the template (1-127 characters).
Replace template-name with the name of the template, up to 31 characters

long.
page 58
This command enters the SLB Cipher Template configuration mode where
the following commands are available.
[no] cipher [priority num]
cipher The cipher can be one of the names listed in the A10 SSL Cipher Suites List file located on
the A10 Networks Support Portal:
https://www.a10networks.com/support/axseries/appnotes
You can remove (or re-add) one cipher in the template with a single command. Enter sepa-
rate commands for each cipher to remove or re-add.
priority The cipher priority value can be 1-100. The highest priority (most favored) is 100. More
than one cipher can have the same priority. In this case, the strongest (most secure) cipher
is used.
Platforms containing a second generation or third generation SSL card

support all ciphers. ECDHE and DHE ciphers on the server side are
processed by CPU, resulting in high CPU usage.
Platforms containing a first generation SSL card support only RSA ciphers.
Use the show hardware command to see your platform’s specifications. For
more information, refer to Technical Support Advisory: Recommend SSL
Templates for PFS (Perfect Forward Secrecy) Ciphers on the A10 Networks
website.
Default The default priority is 1. All ciphers within a template are enabled by
default.
Usage A cipher template contains a list of ciphers. A client connecting to a virtual

port using the cipher template can use only ciphers that are listed in the tem-
plate.
Optionally, you can assign a priority value to each cipher in the template. It is
recommended that users do not leave this blank. The ACOS device uses
ciphers based on priority. If the client supports the cipher that has the
highest priority, that cipher is used. If the client does not support the highest-
priority cipher, the ACOS device attempts to use the cipher with the second-
highest priority.
Notes
• An SSL cipher template takes effect only when you apply it to a client-
SSL template or server-SSL template.
• When you apply (bind) a cipher template to a client-SSL or server-SSL
template, the settings in the cipher template override any cipher settings
in that client-SSL or server-SSL template.
page 59
• Priority values are supported only for client-SSL templates. If a cipher

template is used by a server-SSL template, the priority values in the
cipher template are ignored.
Example The following commands configure a cipher template:
ACOS(config)# slb template cipher cipher_tmplt1

ACOS(config-cipher)# SSL3_RSA_DES_64_CBC_SHA priority 5
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA priority 10
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# end
This template contains 3 ciphers. The ACOS device attempts to use

TLS1_RSA_AES_128_SHA first. If the client does not support this cipher, the
ACOS device attempts to use SSL3_RSA_DES_64_CBC_SHA. If the client
does not support this cipher either, the ACOS device tries to use
TLS1_RSA_AES_256_SHA.
Example The following command binds the cipher template, cipher_tmplt1, to the cli-
ent-SSL template, SSLInsight_ClientSide.
ACOS(config)# slb template client-ssl SSLInsight_ClientSide

ACOS(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS(config-client ssl)# forward-proxy-enable
ACOS(config-client ssl)# template cipher cipher_tmplt1
ACOS(config-client ssl)# end
slb template client-ssl

Description See “Config Commands: SLB Client SSL Templates” on page 107.
slb template connection-reuse

Description Configure re-use of established connections.
Syntax [no] slb template connection-reuse template-name
Replace template-name with the name of the template, 1-127 characters.
page 60
This command enters the SLB Connection-Reuse Template Configuration

mode where the following commands are available.
Command Description
[no] keep-alive-conn number Specifies the number of new reusable connections to open before begin-
ning to reuse existing connections. You can specify 1-1024 connections.
This option is applicable for both HTTP and SIP-over-TCP sessions.
By default, this option is not enabled in the template, but when activated,
the default value is 100.
[no] limit-per-server number Maximum number of reusable connections per server port. You can
specify 0-65535. 0 means unlimited.
The default is 1000 connections.

[no] timeout seconds Maximum number of seconds a connection can be idle before timeing
out. You can specify 60-3600 seconds; the value specified must be divis-
ible by 60.
The default is 2400 seconds (40 minutes).
Default “Default” connection reuse template defaults are listed in the command
table.
To display default template settings, use the show slb template

connection-reuse default command. See “show slb template” on page 488.
Usage The normal form of this command creates a connection reuse template. The
no form of this command removes the template.
You can bind only one connection-reuse template to a virtual port. However,
you can bind the same connection-reuse template to multiple ports.
Due to the way the connection-reuse feature operates, backend sessions
with servers will not be reused in either of the following cases:
• The limit-per-server option is set to a very low value, lower than the
number of data CPUs on the ACOS device.
• The keep-alive-conn option is set to a lower value than the limit-per-
server option.
Example The following commands configure a connection reuse template named

“conn-reuse1” and set the limit per server to 2000 re-used connections:
ACOS(config)# slb template connection-reuse conn-reuse1

ACOS(config-conn reuse)# limit-per-server 2000
page 61
slb template dblb

Description Create a template for database load-balancing (DBLB).
Syntax [no] slb template dblb template-name
This command enters the SLB DBLB Template Configuration mode where
Command Description
[no] calc-sha1 password Displays the SHA1-encrypted version of a clear text string.
[no] class-list list-name Applies a class list of username-password pairs for DBLB client authentica-
tion to access the database server.
[no] server-version type Specifies the type of database system for the DBLB server that processes
database requests. For type you can specify one of the following:
• MSSQL2008 – MS-SQL server (version 2008 or 2008 R2)
• MSSQL2012 – MS-SQL server (version 2012)
• MySQL – Any version of MySQL
Default The configuration does not have a default DBLB template.
slb template diameter

Description Configure Diameter load balancing.
Syntax [no] slb template diameter template-name
page 62
This command enters the SLB Diameter Template Configuration mode

where the following commands are available.
Command Description
[no] Specifies a custom AVP value to insert into Capabilities-Exchange-Request
avp avp-num messages sent by the ACOS device to Diameter servers.
{int32 | int64 | string}
value [mandatory] For each custom AVP value to insert, you must specify the following infor-
mation:
• avp-num – Diameter AVP number.
• int32 | int64 | string – Specifies the data format of the value to

insert.
• value – Specifies the value to insert.
• mandatory – Sets the AVP mandatory flag on. By default, this flag is off
(not set).
You can configure up to 6 custom AVP values for insertion. Enter the com-
mand separately for each AVP value.
[no] customize-cea Replaces the AVPs in Capabilities-Exchange-Answer (CEA) messages with
the custom AVP values you configure before forwarding the messages.
[no] duplicate avp-num Duplicates Accounting-Request messages and sends them to a separate
pattern service-group service group. This option is useful for logging, accounting, and so on.
To configure message duplication, configure real servers and the service

group, and use the duplicate command to configure the following parame-
ters:
• avp-num – Diameter AVP number.
• pattern – String pattern within the message.
• service-group – The duplication service group, which is the service

group to which to send the duplicate messages.
NOTE: To place the message duplication configuration into effect, you

must unbind the Diameter template from the Diameter virtual port, then
rebind it.
A Diameter template in which message duplication is configured can be

bound to only a single virtual port.
[no] dwr-time ms Specifies the maximum number of seconds the ACOS device will wait for
the reply to a device-watch-dog message sent to a Diameter server before
marking the server Down. You can specify 0-2147483647 milliseconds (ms),
in 100-ms increments.
The default is 10000 ms (10 seconds).

[no] dwr-up-retry Specifies the number of Device Watchdog Request and Device Watchdog
Answer messages required to mark a server port as up. You can specify 1-7.
The default is 3.
page 63
Command Description
[no] Specifies the number of minutes a Diameter session can remain idle before
idle-timeout minutes the session is deleted. You can specify 1-65535 minutes.
The default is 5 minutes.

[no] Enables load balancing of Diameter message codes, in addition to those
message-code num already load balanced by default. You can enable load balancing of up to 10
additional message codes:
• Accounting-Request (code 271)
• Accounting-Answer (code 271)
• Credit-Control-Request (code 272)
• Credit-Control-Answer (code 272)
• Capabilities-Exchange-Request (code 257)
• Capabilities-Exchange-Answer (code 257)
• Device-Watchdog-Request (code 280)
• Device-Watchdog-Answer (code 280)
• Session-Termination-Request (code 275)
• Session-Termination-Answer (code 275)
• Abort-Session-Request (code 274)
• Abort-Session-Answer (code 274)
• Disconnect-Peer-Request/Disconnect-Peer-Answer (code 282)
The ACOS device drops all other Diameter message codes by default.
[no] multiple-origin-host Prepends the CPU ID onto the origin-host string to identify the CPU used for
a given Diameter peer connection.
The ACOS device establishes a separate peer connection with each Diame-
ter server on each CPU. The multiple-origin-host option does not enable or
disable this behavior. The option simply shows or hides the CPU ID in the
origin-host string.
[no] Sets the value of Diameter AVP 264. This AVP can be a character string and
origin-host host.realm specifies the identity of the originating host for Diameter messages. Since
the ACOS device acts as a proxy for Diameter, this AVP refers to the ACOS
device itself, not to the actual clients. From the Diameter server’s stand-
point, the ACOS device is the Diameter client.
Specify the origin-host in the following format: host.realm
The host is a string unique to the client (ACOS device). The realm is the
Diameter realm, specified by the origin-realm option (described below).
[no] origin-realm string Sets the value of Diameter AVP 296. This AVP can be a character string and
specifies the Diameter realm from which Diameter messages, including
requests, are originated.
page 64
Command Description
[no] product-name string Sets the value of Diameter AVP 269. This AVP can be a character string and
specifies the product; for example, “a10dra”.
[no] session-age minutes Specifies the absolute limit for Diameter sessions. Any Diameter session
that is still in effect when the session age is reached is removed from the
ACOS session table. You can specify 1-65535 minutes.

[no] terminate-on-cca-t Removes Diameter sessions when receiving the Server CCA-Termination
message, rather than waiting for the Client Session-Terminate-Request
(STR).
[no] vendor-id num Sets the value of Diameter AVP 266. This AVP can be a numeric value and
specifies the vendor; for example, “156”. Make sure to use a non-zero value.
Zero is reserved by the Diameter protocol.
Default The configuration does not have a default Diameter template. If you config-
ure one, the template has the default values described in the table above.
Mode Configure
Usage The normal form of this command creates a Diameter template. The no form
of this command removes the template.
You can bind only one Diameter template to a virtual port. However, you can
bind the same Diameter template to multiple ports.
Example For configuration examples, see the “Diameter Load Balancing” chapter in
the Application Delivery and Server Load Balancing Guide.
slb template dns

Description Configure DNS caching.
Syntax [no] slb template dns template-name
This command enters the SLB DNS Template Configuration mode where the
following commands are available.
Command Description
[no] class-list name Applies a class list to the template.
[no] default-policy Specifies default action when a query does not match any class-list
[cache | nocache] entries. The default is nocache.
[no] disable-dns-template Disables template. The template remains in the configuration.
By default, template is enabled and takes effect when bound to a DNS

port.
page 65
Command Description
[no] dns-log-enable period Enables logging for DNS caching. The period option specifies how often
minutes log messages are generated. You can specify 1-10000 minutes.
[no] dns64 options Enable DNS64. Specify one of the following available options:
• answer-only-disable - Disable only translate the answer section.
• auth-data - Set AA flag in the DNS response.
• cache - Generate response by DNS cache.
• change-query - Always change incoming AAAA DNS Query to A.
• compress-disable - DNS compression is disabled.
• deep-check-rr-disable - Disable the checking of DNS response

records.
• enable - Enable DNS64. This option must be enabled before any other
DNS64 options are enabled.
• ignore-rcode3-disable - Disable Ignore DNS error response (rcode

3).
• max-qr-length - Maximum question record (QR) length (1-1023);

default 128.
• parallel-query - Forward AAAA queries; generates A query in parallel.
• passive-query-disable - Disable generation of a query upon an

empty or error response.
• retry - retry count (0-15); default is 3.
• single-response-disable - Disable single response which is used to

avoid ambiguity.
• timeout seconds - Timeout to send additional queries (0-15 seconds);

default is 1 second.
• trans-ptr - Translate DNS PTR records.
• ttl seconds - Specify maximum TTL in DNS responses in seconds (1-

1000000000)., unit: second
[no] enable-cache-sharing Enables caching of TCP-based DNS queries along with UDP-based que-
ries.
NOTE: If DNS authentication also is enabled, the initial request is not only
redirected to TCP, but is then cached so that a second request is not
made to the DNS server.
[no] malformed-query Specifies the action to take for malformed DNS queries:
{drop |
forward service-group-name} • drop – Drops malformed queries.
• forward – Sends the queries to the specified service group.
With either option, the malformed queries are not sent to the DNS virtual
port.
page 66
Command Description
[no] max-cache-entry-size Specifies the maximum number of bytes each cache entry can have,
num 1-4096.
The default is 256.

[no] max-cache-size num Specifies the maximum number of entries that can be cached per VIP.
The maximum configurable amount depends on the amount of RAM
installed on the ACOS device.
[no] max-query-length num Specifies the maximum length for DNS queries, 1-4095.
By default, there is no limit on the length.

[no] query-id-switch Enables stateful query-ID-based load balancing, which distributes DNS
queries on a request-ID basis. This helps provide even distribution of DNS
query traffic behind a DNS proxy.
Without the query-ID-based load balancing option, multiple requests

received by a DNS virtual port appear to be from the same source, if the
source IP address and Layer 4 port are the same. For example, without
query-ID-based load balancing, if ACOS receives multiple requests from a
DNS proxy, the requests can appear to be from the same end-user, if they
all have the same source IP address and Layer 4 port.
This feature applies only to DNS port 53. For other load-balanced DNS vir-
tual ports, requests are load balanced based on the following:
• Source IP address and Layer 4 port
• Destination IP address and Layer 4 port
• Protocol (virtual port type: DNS, DNS-TCP, or DNS-UDP)
This is the same as DNS load balancing without request-ID-based load

balancing. The feature is “stateful” because ACOS session resources are
used, and the sessions can be viewed in the session table.
This is disabled by default.

[no] redirect-to-tcp-port Enables authentication for DNS requests received over UDP. When this
feature is enabled, ACOS drops the UDP DNS request from a client, and
sends the client a DNS Truncate message. To pass DNS authentication,
the client must resend the DNS request over TCP.
By default, this feature is disabled.
Default DNS template options have the default settings described in the table above.
Mode Configure
Usage The normal form of this command creates a DNS template. The no form of
this command removes the template.
You can bind only one DNS template to a virtual port. However, you can bind
the same DNS template to multiple ports.
For DNS caching, bind the template to virtual port type dns-udp. Virtual port
type dns applies only to DNS security.
page 67
DNS templates are not supported with stateless load-balancing methods.
Example This example configures the age of virtual port DNS cache using DNS tem-
plate dns1 will be the minimum value between 600 seconds and server
response TTL:
ACOS(config)# show running-config | section class-list

class-list cl1 dns
dns contains example.com lid 1
ACOS(config)# slb template dns dns1
ACOS(config-dns)# class-list name cl1
ACOS(config-dns)# class-list lid 1
ACOS(config-dns-lid)# dns ttl 600 honor-server-response-ttl
Example The following command means the age of the virtual port DNS cache using
DNS template dns1 will be 600 seconds:
ACOS(config-dns-lid)# dns ttl 600
Example The following command means the server response TTL will be used as the
virtual port’s DNS cache TTL using DNS template dns1:
ACOS(config-dns-lid)# dns ttl honor-server-response-ttl
slb template dynamic -service

Description Creates a template that you can bind to virtual ports to access the DNS serv-
ers specified by the dns server sub-command.
Syntax [no] slb template dynamic-service template-name
This command changes the CLI mode to dynamic service configuration

mode, where the following command is available:
dns server dns-ip-address
A maximum dns-ip-address of two can be specified.
Default ACOS does not have a default SLB dynamic-service template.
Mode Global Configuration mode
Example The following example creates the dynamic-service template with the name
DNS_service1, and then binds it to the HTTPs vPort of Inside_VIP virtual
server.
ACOS(config)# slb template dynamic-service DNS_service1

ACOS(config-dynamic-service)# dns server 10.10.1.253
ACOS(config-dynamic-service)# dns server 2001:db8::1521:31ac
ACOS(config-dynamic-service)# exit
page 68
ACOS-Inside(config)# slb virtual-server Inside_VIP 10.10.1.30

ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS-Inside(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide
ACOS-Inside(config-slb vserver-vport)# template policy Explicit_Proxy
ACOS-Inside(config-slb vserver-vport)# template dynamic-service DNS_service1
slb template external-service

Description Configure an External Service template to steer traffic to external servers for
additional processing, based on application.
Syntax [no] slb template external-service template-name

This command enters the SLB External-Service Template Configuration

Command Description
[no] bypass-ip IPv4-address If configuring for ICAP-based Traffic Steering, specifies the controller IP
{/nn | netmask} address.
[no] failure-action Specifies the action performed by ACOS when any of the following types
{continue | drop | reset} of events occurs:
• ACOS fails to select an external-service server.
• Failure during creation of a new connection to external-service server.
• The response from the external-service server does not contain HTTP
status code 200 or 403.
• Exhaustion of memory when creating a request to external-service

server.
The failure action can be one of the following:
• continue – Allows the client’s request to go to the content server.
• drop – Silently drops connection and does not send a reset to the cli-
ent.
• reset – Sends a connection reset to the client.
NOTE: If a TCP error occurs while ACOS is waiting for a response, ACOS
resets the connection. For example, this occurs in the case of a connec-
tion reset by a URL filtering server.
The default is continue.
page 69
Command Description
[no] request-header-for- Enable forwarding of additional headers to the proxy server. If there are
ward header-name multiple headers with the same name from the client, then only the first
header instance will be forwarded.
The URL Filter server’s HTTP module parses the client request and saves
the results in the corresponding data structure. ACOS then inserts the
configured header when it forwards the HTTP request to the proxy server.
If the response from the proxy server is good, then ACOS connects to the
destination server. If the response from the proxy server is bad, then
ACOS closes the connection.
Only GET and POST methods are forwarded by the SLB “external-service”
template, so only these methods will forward the configured request-
headers to the proxy servers.
A maximum of 16 HTTP headers can be forwarded. One HTTP header

only can be 1036 bytes, including the HTTP header name and HTTP
header element. Anything longer than that will be truncated at 1036 bytes.
If there are multiple headers with the same name from the client, then only
the first header instance will be forwarded.
This is not enabled by default.

[no] service-group Binds the service group that contains the external-service servers to this
group-name template. Specify the service group that contains the external-service
servers (for example, ICAP-based Traffic Steering servers or URL-filtering
servers). Do not specify the service group containing the content servers
(HTTP servers).
If configuring for ICAP-based Traffic Steering, specify the group of servers

here, but not the controller. Specify the controller using the bypass-ip
command (described below)
[no] template Applies a template to the external-service template. Specify one or both of
template-type template-name the following:
• persist source-ip template-name – Applies a source-IP per-

sistence template to the external-service template.
• tcp-proxy template-name – Applies a custom TCP-proxy template

to use for managing the TCP connections with the servers.
[no] timeout num action Sets the maximum number of seconds ACOS waits for a response from
[continue | drop | reset] the server. If the server does not reply before the timeout expires, ACOS
takes the configured action, which can be one of the following:
• continue – Allows the client’s request to go to the content server.
• drop – ACOS silently drops the connection and does not send a reset to
the client.
• reset – ACOS sends a connection reset to the client.
The default is 1000ms, continue.
page 70
Command Description
[no] type Specifies the traffic type to redirect:
[icap-traffic-steering |
url-filter] • icap-traffic-steering – Steers Internet Content Adaptation Proto-
col (ICAP) to external controllers.
• url-filter – Steers HTTP requests from clients to external URL-filter-

ing servers.
The default is url-filter.
Default The configuration does not have a default External Service template. If you
configure one, the template has the default values described in the table
above.
slb template fix

Description Configure a template for Financial Information Exchange (FIX) load balanc-
ing.
Syntax [no] slb template fix template-name

long.
This command enters the SLB FIX Template Configuration mode where the
Command Description
[no] insert-client-ip Inserts an AVP with the original client IP address to the tag 11447. For exam-
ple, if the client IP address is 40.40.40.20, this option will modify the tag to
“11447=40.40.40.20” when the server receives this client’s PUSH data.
page 71
Command Description
[no] tag-switching Inspects the FIX message header for a SenderCompID or TargetCompID tag
[sender-comp-id | value and uses a specific service group if the tag matches the Equals keyword.
target-comp-id] The ACOS device can inspect FIX messages and perform service group
equals string switching with one of the following options:
service-group name
• sender-comp-id – Selects a service group for FIX requests based on the
value of the SenderCompID tag. This tag identifies the financial institution
that is sending the request.
• target-comp-id – Selects a service group for FIX requests based on the

value of the TargetCompID tag. This tag identifies the financial institution to
which the request is being sent.
If you select the Sender Comp ID or Target Comp ID radio button, the following
options are displayed:
• equals string – Specifies a keyword which ACOS matches against the

TargetCompID or SenderCompID tag of a FIX message header.
NOTE: The keyword is case sensitive and must match exactly with the
SendCompID tag or TargetCompID tag. For example, “ABC” is different from
“Abc”.
• service-group name – Selects the service-group to use for a client request

when the SenderCompID or TargetCompID tag in the FIX message header
of the request matches the specified keyword.
Default The configuration does not have a default FIX template.
slb template ftp

Description Configure a template for FTP load balancing.
Syntax [no] slb template ftp template-name

long.
This command enters the SLB FTP Template Configuration mode where the
[no] active-mode-port
If you plan to use a non-standard FTP port number, use this option to specify
the port number, 1-65535.
Default The configuration does not have a default FTP template.
page 72
slb template http

Description Configure HTTP modifications to server replies to clients and configure load
balancing based on HTTP information.
Syntax [no] slb template http template-name

long.
This command enters the SLB HTTP Template Configuration mode where
Command Description
[no] 100-cont-wait-for- When the server receives an HTTP Post request with an Expect:100 Con-
req-complete tinue, it considers all subsequent inbound packets as belonging to the
request until it receives the expected number of packets for the request.
page 73
Command Description
[no] compression option Offloads Web servers from CPU-intensive HTTP compression operations.
Options for this command are:
• auto-disable-on-high-cpu percent
Configures an automatic disable of HTTP compression based on CPU
utilization. The percent option specifies the threshold. You can specify 1-
100.
• content-type content-string
Specifies type of content to compress, based on a string in the content-
type header of the HTTP response. The content-string can be 1-31 charac-
ters long.
The “text” and “application” types are included by default.
• enable – Enables compression.

• exclude-content-type content-string
Excludes the specified content type from being compressed. The content-
string can be 1-31 characters long.
• exclude-uri uri-string
Excludes an individual URI from being compressed. The URI string can
be 1-31 characters. An HTTP template can exclude up to 10 URI strings.
• keep-accept-encoding enable
Configures the ACOS device to leave the Accept-Encoding header in
HTTP requests from clients instead of removing the header.
When keep-accept-encoding is enabled, compression is performed by the

real server instead of the ACOS device, if the server is configured to per-
form the compression. The ACOS device compresses the content that
the real server does not compress. This option is disabled by default,
which means the ACOS device performs all the compression.
• level number
Specifies compression level. You can use compression level 1-9. Each
level provides a higher compression ratio, beginning with level 1, which
provides the lowest compression ratio. A higher compression ratio
results in a smaller file size after compression. However, higher compres-
sion levels also require more CPU processing than lower compression
levels, so performance can be affected.
Compression is supported only for HTTP and HTTPS virtual ports. Com-
pression is not supported for fast-HTTP virtual ports.
The default level is 1.
• minimum-content-length bytes
Specifies the minimum length (in bytes) a server response can be in order
to be compressed. The length applies to the content (payload) only and
does not include the headers. You can specify 0-2147483647 bytes.
The default is 120 bytes.

[no] failover-url Specifies the fallback URL to send in an HTTP 302 response when all real
url-string servers are down.
page 74
Command Description
[no] host-switching Selects a service group based on the value in the Host field of the HTTP
{starts-with | header. The selection overrides the service group configured on the virtual
contains | port.
ends-with}
host-string service-group
service-group-name • For host-string, you can specify an IP address or a hostname. If the
host-string does not match, the service group configured on the virtual
port is used.
• starts-with host-string – matches only if the hostname or IP

address starts with host-string.
• contains host-string – matches if the host-string appears any-

where within the hostname or host IP address.
• ends-with host-string – matches only if the hostname or IP address

ends with host-string.
[no] insert-client-ip Inserts the client’s source IP address into HTTP headers. If you specify an
[http-header-name] HTTP header name, the source address is inserted only into headers with
[replace] that name.
The replace option replaces any client addresses that are already in the
header. Without this option, the client IP address is appended to the lists of
client IP addresses already in the header. For example, if the header already
contains “X-Forwarded-For:1.1.1.1” and the current client’s IP address is
2.2.2.2, the replace option changes the field:value pair to “X-Forwarded-
For:2.2.2.2”. Without the replace option, the field:value pair becomes “X-
Forwarded-For:1.1.1.1, 2.2.2.2”.
[no] insert-client-port Inserts the source protocol port of the client’s request into the HTTP
[http-header-name] header. If no header name is specified, the X-ClientPort header is used.
[replace]
The replace option allows you to replace the content of an existing header
that matches the configured name with the client’s port number. If no
header name is specified, the X-ClientPort header is used. If the replace
option is not specified, and there is a header that matches the configured
name, the client’s port number is added to the end of the specified header.
[no] keep-client-alive Keeps the session between ACOS and the session up even after the part of
the session between ACOS and the backend server is terminated.
[no] log-retry Logs HTTP retries. An HTTP retry occurs when the ACOS device resends a
client’s HTTP request to a server because the server did not reply to the first
request. (HTTP retries are enabled using the retry-on-5xx or retry-on-
5xx-per-req command in the HTTP template.)
[no] non-http-bypass Redirects non-HTTP traffic to a specific service group. By default, the ACOS
service-group group-name device will drop non-HTTP requests that are sent to an HTTP port.
page 75
Command Description
[no] redirect Automatically sends a redirect response to HTTP client requests. You can optionally
[location location |
secure | specify the following:
[secure] port portnum ] • location location
[response-code
{301 | 302 | 303 | 307}]
A static location string to which the client will be redirected.
• port portnum
TCP port number to use for the redirect.
• response-code
The response code to apply. 302 Found is used by default. The following
response codes can be configured:
• 301 (Moved Permanently)
• 302 (Found)
• 303 (See Other)
• 307 (Temporary Redirect).
• secure
The client will be redirected using HTTPS.

[no] redirect-rewrite Modifies redirects sent by servers by rewriting the matching URL string to
match url-string the specified value before sending the redirects to clients.
rewrite-to url-string
[no] redirect-rewrite Changes HTTP redirects sent by servers into HTTPS redirects before send-
secure ing the redirects to clients.
{port tcp-portnum}
To redirect clients to the default HTTPS port (443), enter the following com-
mand:
redirect-rewrite secure
To redirect clients to an HTTPS port other than the default, enter the follow-
ing command instead: redirect-rewrite secure port port-num
[no] req-hdr-wait-time Sets a request header wait time to prevent Slowloris attacks. All portions of
seconds a client’s request header must be received within the specified amount of
time. Otherwise, ACOS terminates the connection. You can specify 1-31
seconds. The default is 7.
[no] request-header-erase Erases the specified header (field) from HTTP requests.
field
[no] Inserts the specified header into HTTP requests. The field:value pair indi-
request-header-insert cates the header field name and the value to insert.
field:value
[insert-always | If you use the insert-always option, the command always inserts the
field:value pair. If the request already contains a header with the same
insert-if-not-exist]
field name, the new field:value pair is added after the existing
field:value pair. Existing headers are not replaced.
If you use the insert-if-not-exist option, the command inserts the

header only if the request does not already contain a header with the same
field name.
Without either option, if a request already contains one or more headers

with the specified field name, the command replaces the last header.
page 76
Command Description
[no] Parses HTTP request lines with no case sensitivity.
request-line-case-insen-
sitive
[no] Replaces data in the HTTP response from the server. The original-con-
response-content-replace tent specifies the content to look for in server responses. The new-con-
original-content tent specifies the content to use to replace the original content. For each
new-content value, you can specify a string of 1-127 characters. If a string contains
blank spaces, use double quotation marks around the string.
NOTE: A maximum of 8 content-replacement rules are supported in a given

HTTP template.
[no] Erases the specified header (field) from HTTP responses.
response-header-erase
field
[no] response-header- Inserts the specified header into HTTP responses. The field:value pair
insert field:value indicates the header field name and the value to insert.
[insert-always |
insert-if-not-exist] If you use the insert-always option, the command always inserts the
field:value pair. If the response already contains a header with the same
field name, the new field:value pair is added after the existing
If you use the insert-if-not-exist option, the command inserts the

header only if the response does not already contain a header with the
same field name.
Without either option, if a response already contains one or more headers

with the specified field name, the command replaces the first header.
[no] retry-on-5xx num Configures the ACOS device to retry sending a client’s request to a service
port that replies with an HTTP 5xx status code, and reassign the request to
another server if the first server replies with a 5xx status code. The retry
number specifies the number of times the ACOS device is allowed to reas-
sign the request.
For example, assume that a service group has three members (s1, s2, and
s3), and the retry is set to 1. In this case, if s1 replies with a 5xx status code,
the ACOS device reassigns the request to s2. If s2 also responds with a 5xx
status code, the ACOS device will not reassign the request to s3, because
the maximum number of retries has already been used.
If you use this command, the ACOS device stops sending client requests to
a service port for 30 seconds following reassignment. If you want the ser-
vice port to remain eligible for client requests, use the following command
instead. An HTTP template can contain one or the other of these com-
mands, but not both.
NOTE: The 5xx options are supported only for virtual port types HTTP and
HTTPS. They are not supported for fast-HTTP or any other virtual port type.
[no] retry-on-5xx-per-req This command provides the same function as the retry-on-5xx com-
num mand (described above). However, the retry-on-5xx-per-req command
does not briefly stop using a service port following reassignment. An HTTP
template can contain one or the other of these commands, but not both.
[no] Forces the ACOS device to perform the server selection process anew for
strict-transaction-switch every HTTP request. Without this option, the ACOS device reselects the
same server for subsequent requests (assuming the same server group is
used), unless overridden by other template options.
page 77
Command Description
[no] template logging Specifies a logging template to use for external logging of HTTP events
template-name over TCP.
[no] Enables the ACOS device to terminate HTTP 1.1 client connections when
term-11client-hdr- the “Connection: close” header exists in the HTTP request. This option is
conn-close applicable to connection-reuse deployments that have HTTP 1.1 clients
that are not compliant with the HTTP 1.1 standard. Without this option, ses-
sions for non-compliant HTTP 1.1. clients are not terminated.
[no] url-hash-persist Enables server stickiness based on hash values. If this feature is config-
[offset offset-bytes] ured, for each URL request, the ACOS device calculates a hash value based
{first | last} bytes on part of the URL string. The ACOS device then selects a real server based
[user-server-status] on the hash value. A given hash value always results in selection of the
same real server. Thus, requests for a given URL always go to the same real
server.
The offset option specifies how far into the string to begin hash calcula-
tion.
The first and last options specify which end of the URL string to use to
calculate the hash value.
The bytes option specifies how many bytes to use to calculate the hash
value.
Optionally, you can use URL hashing with either URL switching or host
switching. Without URL switching or host switching configured, URL hash
switching uses the hash value to choose a server within the default service
group (the one bound to the virtual port). If URL switching or host switching
is configured, for each HTTP request, the ACOS device first selects a service
group based on the URL or host switching values, then calculates the hash
value and uses it to choose a server within the selected service group.
The use-server-status option enables server load awareness, which

allows servers to act as backups to other servers, based on server load.
NOTE: This feature requires some custom configuration on the server. For
information, see the “URL Hash Switching” section in the “HTTP Options for
SLB” chapter of the Application Delivery and Server Load Balancing Guide.
[no] url-switching Selects a service group based on the URL string requested by the client.
{starts-with | The selection overrides the service group configured on the virtual port.
ends-with |
url-case-insensitive | • starts-with – matches only if the URL starts with url-string.
url-hits-enable}
url-string
service-group • contains – matches if the url-string appears anywhere within the
service-group-name URL.
• ends-with – matches only if the URL ends with url-string.
• url-case-insensitive – enable case-insensitive matching for URL

switching rules.
• url-hits-enable – enable URL hits.
Each URL matching pattern can be up to 64 bytes long.
NOTE: You can use URL switching or Host switching in an HTTP template,
but not both. However, if you need to use both types of switching, you can
do so with an aFleX script.
page 78
NOTE: For a list of media type strings, see the Internet Assigned Numbers
Authority Web site: http://www.iana.org/assignments/media-types
NOTE: The order in which content-type, exclude-content-type, and

exclude-uri filters appear in the configuration does not matter.
NOTE: You can use URL switching or Host switching in an HTTP template,
but not both. However, if you need to use both types of switching,
you can do so with an aFleX script.
Default The configuration has a default HTTP template. In the template, most
options are disabled or not set.
Compression is disabled by default. When you enable it, it has the default
settings described in the table above.
To display the default HTTP template settings, use the show slb template
http default command.
Usage The normal form of this command creates an HTTP configuration template.
The no form of this command removes the template.
You can bind only one HTTP template to a virtual port. However, you can
bind the same HTTP template to multiple ports.
Header insertion is not supported on fast-HTTP virtual ports.

When the keep-client-alive option is enabled, the way ACOS keeps the
session with the client up depends on the way the server session is
terminated:
• Normal TCP/IP connection termination by a TCP RST or FIN – ACOS

does not forward the RST or FIN to the client, and instead leaves the cli-
ent session open. (Technically, the session is left in the client-request-
state, wherein ACOS awaits the client’s next request.)
• “Connection: Close” header option in the response – ACOS removes this
header from the server reply before forwarding the reply to the client.
• Client is using HTTP 1.0, and did not use the “Connection: Keep-Alive”
header option – ACOS inserts this header from the server reply before
forwarding the reply to the client.
Starts-with, Contains, and Ends-with Rule Matching
The starts-with, contains, and ends-with options are always applied in the
following order, regardless of the order in which the commands appear in the
configuration. The service group for the first match is used.
• starts-with
page 79
• contains
• ends-with
If a template has more than one command with the same option (starts-
with, contains, or ends-with) and a host name or URL matches on more
than one of them, the most-specific match is always used. For example, if a
template has the following commands, host "ddeeff" will always be directed
to service group http-sgf:
slb template http http-host
host-switching starts-with d service-group http-sgd
host-switching starts-with dd service-group http-sge
host-switching starts-with dde service-group http-sgf
If a contains rule and an ends-with rule match on exactly the same string,
the ends-with rule is used, because it has the more specific match.
If you use the starts-with option with URL switching, use a slash in front of
the URL string. For example:
url-switching starts-with /urlexample service-group http-sg1
Redirect-Rewrite Rule Matching
If a URL matches on more than redirect-rewrite rule within the same HTTP
template, the ACOS device selects the rule that has the most specific match
to the URL. For example, if a server sends redirect URL 66.1.1.222/000.html,
and the HTTP template has the redirect-rewrite rules shown below, the ACOS
device will use the last rule because it is the most specific match to the URL:
slb template http 1
redirect-rewrite match /00 rewrite-to http://66.1.1.202/a
redirect-rewrite match /000.html rewrite-to /001.gif
redirect-rewrite match 66.1.1.222/000.html rewrite-to 66.1.1.202/
003.bmp
Example The following commands configure an HTTP template called “http-compres-

sion” that enables compression. The minimum length a packet must be for it
to be compressed is set at 120 bytes.
ACOS(config)# slb template http http-compression

ACOS(config-http)# compression enable
ACOS(config-http)# compression minimum-content-length 120
Example The following commands configure an HTTP template called “http-header”

that inserts the client IP address and a Cookie field into HTTP headers in
requests from clients before sending the requests to servers:
ACOS(config)# slb template http http-header

ACOS(config-http)# insert-client-ip
page 80
ACOS(config-http)# header-insert Cookie:a = b
Example The following commands configure an HTTP template called “http-host” that
selects a service group based on the contents of the Host field in the HTTP
headers of client requests. Requests for hostnames that start with “Gossip”
are directed to service group “http-sg1”. Requests for hostnames that con-
tain “NewsDeskA” are directed to service group “http-sg2”. Requests for
hostnames that end with “weather.com” are directed to service group “http-
sg3”.
ACOS(config)# slb template http http-host

ACOS(config-http)# host-switching starts-with Gossip service-group http-sg1
ACOS(config-http)# host-switching contains NewsDeskA service-group http-sg2
ACOS(config-http)# host-switching ends-with weather.com service-group http-sg3
Example These commands configure an HTTP template to use URL hashing. Hash
values are calculated based on the last 8 bytes of the URL. In this example,
URL switching is also configured in the template. As a result, the ACOS
device uses URL switching to select a service group first, then uses URL
hashing to select a server within that service group. If the template did not
also contain URL switching commands, this template would always select a
server from service group sg3.
ACOS(config)# slb template http hash

ACOS(config-http)# url-hash-persist last 8
ACOS(config-http)# url-switching starts-with /news service-group sg1
ACOS(config-http)# url-switching starts-with /sports service-group
sg2
ACOS(config-http)# exit
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# service-group sg3
ACOS(config-slb vserver-vport)# template http hash
Example These commands configure an HTTP template called “http-compress”, that

uses compression level 5 to compress files with media type “application” or
“image”. Files with media type “application/zip” are explicitly excluded from
compression.
ACOS(config)# slb template http http-compress

ACOS(config-http)# compression enable
ACOS(config-http)# compression level 5
ACOS(config-http)# compression content-type image
ACOS(config-http)# compression exclude-content-type application/zip
Example These commands configure an HTTP template that replaces the client IP
addresses in the X-Forwarded-For field with the current client IP address:
ACOS(config)# slb template http clientip-replace
page 81
ACOS(config-http)# insert-client-ip X-Forwarded-For replace
Example These commands enter slb-port template configuration mode for the port
name xyz, then configures that port, upon receiving an HTTP request with an
Expect: 100 Continue, assigns all subsequent packets to that request until it
receives an expected number of packets.
ACOS(config)# slb template http abc

ACOS(config-http)# 100-cont-wait-for-req-complete
slb template http-policy

Description Configure an HTTP-policy template to override WAF template application for
different types of client traffic.
Syntax [no] slb template http-policy template-name

long.
This command enters the SLB HTTP-Policy Template Configuration mode

Command Description
[no] cookie Matches based on cookie values. For descriptions of the other options,
match-option cookie-value see below.
template waf-template-name
[no] cookie-name Matches based on cookie names. For descriptions of the other options,
match-option cookie-name see below.
[no] geo-location string Matches the traffic source based on its geo-location.
{service-group group-name
[template waf template-name]
| template waf template-name
[service-group group-name]}
[no] host Matches based on host names. For descriptions of the other options, see
match-option host-name below.
[no] url Matches based on URL strings. For descriptions of the other options, see
match-option url-string below.
match-option Type of matching to perform:
• equals – Matches only if the URL, hostname, or cookie name com-

pletely matches the specified string.
• starts-with – Matches only if the URL, hostname, or cookie name

starts with the specified string.
• contains – Matches if the specified string appears anywhere within

the URL, hostname, or cookie name.
• ends-with – Matches only if the URL, hostname, or cookie name

ends with the specified string.
page 82
Usage These match options are always applied in the order shown above, regard-
less of the order in which the rules appear in the configuration. The WAF
template associated with the rule that matches first is used.
If a template has more than one rule with the same match option (equals,
starts-with, contains, or ends-with) and a URL matches on more than one of
them, the most-specific match is always used.
For more information, see the Web Application Firewall Guide.
slb template imap-pop3

Description Configure an IMAP/POP3 template.
Syntax [no] slb template imap-pop3 template-name

long.
This command enters the SLB IMAP Template Configuration mode where
the following commands are available:
Command Description
logindisabled When used, the server will expect the login to be in an encrypted format.
This option is only valid for IMAP configuration.

starttls Configure whether or not STARTTLS is used.
{disabled |
optional | • disabled - the ACOS device will not support STARTTLS.
enforced}
• optional - the ACOS device will not expect STARTLS and can function
without using SSL.
• enforced - for IMAP., only the CAPABILITY command can precede START-
TLS; all other commands are rejected. For POP3, no commands are
allowed before STARTTLS; all commands are rejected.
Default The configuration does not have a default logging template.
Example The following example configures an IMAP template with STARTTLS

enforced, then applies the template to a virtual port:
ACOS(config)# slb template imap-pop3 imap-temp

ACOS(config-imap-pop3)# logindisabled
ACOS(config-imap-pop3)# starttls enforced
ACOS(config-imap-pop3)# exit
ACOS(config)# slb virtual-server imap-vserver
ACOS(config-slb vserver)# port 143 imap
page 83
ACOS(config-slb vserver-vport)# template imap-pop3 imap-temp
slb template logging

Description Configure external logging over TCP.
Syntax [no] slb template logging template-name

long.
This command enters the SLB Logging Template Configuration mode where
Command Description
[no] format string Configures a log string. Web logging is described in detail in the “Web Log-
ging for HTTP and RAM Caching” section of the Application Delivery and
Server Load Balancing Guide.
[no] local-logging {0 | 1} Enables or disables local logging:
• 0 – Disables local logging.
• 1 – Enables local logging.
The default is 0 (disabled).

[no] pcre-mask pattern Mask matched Perl Compatible Regular Expression (PCRE) pattern in the
[keep-end num | log.
keep-start num |
mask char • Use keep-end to specify the number of unmasked characters to keep
]
at the end (0-65535); the default is 0.
• Use keep-start to specify the number of unmasked characters to

keep at the start (0-65535); the default is 0.
• Use mask to specify a character to use as the mask for the matched pat-
tern; the default is “X”.
[no] service-group For remote logging, specifies the name of the service group that contains
group-name the log servers.
[no] template tcp-proxy Binds a TCP-proxy template to the logging template.
template-name
page 84
Default The configuration does not have a default logging template.
Usage Logging over TCP also requires some additional configuration. See the Appli-
cation Delivery and Server Load Balancing Guide.
slb template monitor

Description Configure a link monitoring template.
Syntax [no] slb template monitor num
Replace num with the identification number of the template. This can be a
number between 1 to 16.
This command enters the SLB Monitor Template Configuration mode where
Command Description
[no] action options Specifies the action to perform when a monitored event is
detected.
• clear sessions {all | sequence portnum}

• link-disable eth portnum sequence portnum
• link-enable eth portnum sequence portnum
[no] monitor options Specifies the events and links (Ethernet data ports) to monitor.
• link-down eth portnum [eth portnum ...]

sequence portnum
• link-up eth portnum [eth portnum ...]
sequence portnum
[no] monitor-and Uses the logical operator “AND” for link monitoring. The actions
are performed only if all of the monitored events are detected.
This is selected by default.
[no] monitor-or Uses the logical operator “OR”. The actions are performed if
any of the monitored events are detected.
Default The ports within a given monitor entry are always ANDed. If you specify
more than one port (eth portnum option) in the same monitor entry, the
specified event must occur on all the ports in the entry. For example, if you
page 85
specify link-down eth 9 eth 11, the link must go down on ports 9 and 11, for
the link-state changes to count as a monitored event.
Usage The logical operator applies only to monitor entries, not to action entries. For
example, if the logical operator is OR, and at least one of the monitored
events occurs, all the actions configured in the template are applied.
You can configure the entries in any order. In the configuration, the entries of
each type are ordered based on sequence number.
Example The following commands configure monitor template 1:
ACOS(config)# slb template monitor 1

ACOS(config-monitor)# monitor-or
ACOS(config-monitor)# monitor link-down eth 5 sequence 1
ACOS(config-monitor)# action clear sessions sequence 1
ACOS(config-monitor)# action link-disable eth 5 sequence 2
Example The following example shows how to use the SLB link monitoring command
in a CGN shared partition:
ACOS(config)# allow-slb-cfg enable

ACOS(config)# slb template monitor 1
ACOS(config-monitor)# monitor-or
ACOS(config-monitor)#
slb template persist cookie

Description Configure session persistence by inserting persistence cookies into server
replies to clients.
Syntax [no] slb template persist cookie template-name

long.
page 86
This command enters the SLB Persist Cookie Template Configuration mode
Command Description
[no] domain domain-name Adds the specified domain name to the cookie.
[no] dont-honor-conn-rules Ignores connection limit settings configured on real servers and real ports.
This option is useful for applications in which multiple sessions (connec-
tions) are likely to be used for the same persistent cookie.
By default, this is disabled; the connection limit set on real servers and real
ports is used.
[no] expire expire-seconds Specifies the number of seconds a cookie persists on a client’s PC before
being deleted by the client’s browser. You can specify from 0 to
31,536,000 seconds (one year). (Do not enter the commas.) If you specify
0, cookies persist only for the current session.
The default value is 10 years.
NOTE: Although the default is 10 years (essentially, unlimited), the maxi-

mum configurable expiration is one year.
[no] httpOnly Sets the HTTP-only flag in the persistence cookie.
[no] insert-always Specifies whether to insert a new persistence cookie in every reply, even if
the request already had a persistence cookie previously inserted by the
ACOS device.
This is disabled by default; the ACOS device inserts a persistence cookie

only if the client request does not already contain a persistence cookie
inserted by the ACOS device, or if the server referenced by the cookie is
unavailable.
page 87
Command Description
[no] match-type Changes the granularity of cookie persistence.
{server [service-group] |
service-group} • server – The cookie inserted into the HTTP header of the server reply
[scan-all-members] to a client ensures that subsequent requests from the client for the
same VIP are sent to the same real server. (This assumes that all virtual
ports of the VIP use the same cookie persistence template with match-
type set to server.)
Without this option, the default behavior is used: subsequent requests

from the client will be sent to the same real port on the same real server.
• server service-group – Sets the granularity to the same as server,

and also enables cookie persistence to be used along with URL switch-
ing or host switching. Without the service-group option, URL switch-
ing or host switching can be used only for the initial request from the
client. After the initial request, subsequent requests are always sent to
the same service group.
• service-group – This option enables support for URL switching and

host switching, along with the default cookie persistence behavior.
• scan-all-members – This option scans all members bound to the tem-

plate. This option is useful in configurations where match-type “server”
is used, and where some members have different priorities or are dis-
abled. (For more information about this option, see the “Scan-All-Mem-
bers Option in Persistence Templates” chapter in the Application Delivery
and Server Load Balancing Guide.)
NOTE: To use URL switching or host switching, you also must configure
an HTTP template with the host-switching or url-switching com-
mand.
The default match type is port. (There is no port keyword. See “Usage”
for more information.)
[no] name cookie-name Specifies the name of the persistence cookie, 1-63 characters.
The default name is “sto-id”.

[no] pass-thru Enables pass-through mode for passive cookie persistence.

[no] path path-name Adds path information to the cookie, 1-31 characters.
The default path is “/”.

[no] secure Enable secure attribute.
page 88
Default The configuration does not have a default cookie-persistence template. If

you create one, it has the defaults described in the table above.
Usage The normal form of this command creates a cookie-persistence template.

You can bind only one cookie-persistence template to a virtual port.

However, you can bind the same cookie-persistence template to multiple
ports.
When cookie persistence is configured, the ACOS device adds a persistence

cookie to the server reply before sending the reply to the client. The client’s
browser re-inserts the cookie into each request.
For security, address information in the cookie is encrypted.
The format of the cookie depends on the match-type setting:
• match-type (port) – This is the default setting. Subsequent requests

from the client will be sent to the same real port on the same real server.
URL switching or host switching can be used only for the first request.
The cookie that the ACOS device inserts into the server reply has this
format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP
address and the rport is the real server port number.
The port option is shown in parentheses because the CLI does not have
a “port” keyword. If you do not set the match type to server (see below),
the match type is automatically “port”.
• match-type server – Subsequent requests from the client for the same
VIP will be sent to the same real server, provided that all virtual ports of
the VIP use the same cookie persistence template with match-type set
to server. URL switching or host switching can be used only for the first
request.
The cookie that the ACOS device inserts into the server reply has this
format:
Set-Cookie: cookiename=rserverIP
• match-type (port) service-group – Subsequent requests from the cli-

ent will be sent to the same real port on the same real server, within the
service group selected by URL switching or host switching. URL switch-
ing or host switching, if configured, is still used for every request.
The cookie that the ACOS device inserts into the server reply has the fol-
lowing format:
page 89
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
• match-type server service-group – Subsequent requests from the cli-

ent for the same VIP will be sent to the same real server, within the ser-
vice group selected by URL switching or host switching. URL switching
or host switching, if configured, is still used for every request.
The cookie that the ACOS device inserts into the server reply has the fol-
lowing format:
Set-Cookie: cookiename-servicegroupname=rserverIP
Example The following commands configure a cookie persistence template named

“persist-cookie”. The template inserts a cookie named “MyCookie”, contain-
ing the real server’s IP address and protocol port in encrypted form, into
server responses before sending the responses to clients. The template also
sets the cookie to persist on client PCs for only 10 minutes (600 seconds).
ACOS(config)# slb template persist cookie persist-cookie

ACOS(config-cookie persist)# name MyCookie
ACOS(config-cookie persist)# expire 600
slb template persist destination-ip

Description Configure the granularity of load balancing persistence (selection of the
same server resources) for clients, based on destination IP address.
Syntax [no] slb template persist destination-ip template-name
This command enters the SLB Persist Destination-IP Template

Configuration mode where the following commands are available.
Command Description
[no] Ignores connection limit settings configured on real servers and real ports.
dont-honor-conn-rules This option is useful for applications in which multiple sessions (connections)
are likely to be used for the same persistent destination IP address.
This is disabled by default; the connection limit set on real servers and real
ports is used.
[no] hash-persist Enables hash-based persistence. Hash-based persistence provides the per-
sistence and performance benefits of hash-based load balancing, while allow-
ing use of advanced SLB features that require stateful load balancing.
(For more information, see “Hash-based IP Persistence” in the Application

Delivery and Server Load Balancing Guide.)
page 90
Command Description
[no] match-type Specifies the granularity of persistence:
{server | service-group}
[scan-all-members] • server – Traffic to a given destination IP address is always sent to the
same real server, for any service port.
By default (without the server option), traffic to the same destination IP

address and virtual port is always sent to the same real port. This is the
most granular setting.
• service-group – This option is applicable if you also plan to use URL

switching or host switching. If you use the service-group option, URL or
host switching is used for every request to select a service group. The first
time URL or host switching selects a given service group, the load-balanc-
ing method is used to select a real port within the service group. The next
time URL or host switching selects the same service group, the same real
port is used. Thus, service group selection is performed for every request,
but once a service group is selected for a request, the request goes to the
same real port that was selected the first time that service group was
selected.
• scan-all-members – This option scans all members bound to the tem-

plate. This option is useful in configurations where match-type “server” is
used, and where some members have different priorities or are disabled.
(For more information about this option, see the “Scan-All-Members Option
in Persistence Templates” chapter in the Application Delivery and Server Load
Balancing Guide.)
To use URL switching or host switching, you also must configure an HTTP
template with the host-switching or url-switching command.
For SLB, by default, traffic to a given destination IP address and port is always
sent to the same real port. This is the most granular setting. (There is no port
keyword.)
[no] netmask ipaddr Specifies the granularity of IPv4 address hashing for initial server port selec-
tion.
You can specify an IPv4 network mask in dotted decimal notation.
• To configure initial server port selection to occur once per destination VIP
subnet, configure the network mask to indicate the subnet length. For
example, to select a server port once for all requested VIPs within a subnet
such as 10.10.10.x, 192.168.1.x, and so on (“class C” subnets), use mask
255.255.255.0. SLB selects a server port for the first request to the given
VIP subnet, the sends all other requests for the same VIP subnet to the
same port.
• To configure initial server port selection to occur independently for each

requested VIP, use mask 255.255.255.255. (This is the default.)
[no] netmask6 Specifies the granularity of IPv6 address hashing for initial server port selec-
mask-length tion. (See above for more information.), The default is 128.
[no] timeout Specifies how many minutes the mapping remains persistent after the last
timeout-minutes time it is used. You can specify 1-2000 minutes.
Default The configuration does not have a default destination-IP persistence tem-
plate. If you configure one, it has the defaults specified in the table above.
page 91
Usage The normal form of this command creates a destination-IP persistence tem-
plate. The “no” form of this command removes the template.
You can bind only one destination-IP persistence template to a virtual port.
You can bind the a destination-IP persistence template to multiple ports.
Use of the service-group match-type option scan-all-members is not useful

in conjunction with destination-IP persistence templates, and is not
supported.
Example The following command creates a destination-IP persistence template

named “persist-dest”:
ACOS(config)# slb template persist destination-ip persist-source
slb template persist source-ip

Description Configure the granularity of load balancing persistence (selection of the
same server resources) for clients, based on source IP address.
Syntax [no] slb template persist source-ip template-name
This command enters the SLB Persist Source-IP Template Configuration

Command Description
dont-honor-conn-rules This option is useful for applications in which multiple sessions (connec-
tions) are likely to be used for the same persistent client source IP address.
This is disabled by default; the connection limit set on real servers and real
ports is used.
[no] Enables Source-IP Persistence Override and Reselect. When this feature is
enforce-higher-priority enabled, the ACOS device continually checks for the presence of higher-pri-
ority servers, even if source-IP persistence is enabled and sessions are
already established between client and server.
[no] hash-persist Enables hash-based persistence. Hash-based persistence provides the per-
sistence and performance benefits of hash-based load balancing, while
allowing use of advanced SLB features that require stateful load balancing.

[no] incl-dst-ip Used to support the ALG protocol firewall load balancing feature for proto-
cols such as FTP. This option helps ensure that special persistent session
will be matched on both the source IP and destination IP addresses.
[no] incl-sport Includes the source port in persistent sessions.
page 92
Command Description
[no] match-type Specifies the granularity of persistence:
{server [scan-all-members]
| service-group} • server – Traffic from a given client to the same VIP is always sent to the
same real server, for any service port requested by the client.
By default (without the server option), traffic from a given client to the
same virtual port is always sent to the same real port. This is the most
granular setting.
• The scan-all-members option scans all members bound to the tem-

plate. This option is useful in configurations where match-type “server” is
used, and where some members have different priorities or are disabled.
• service-group – This option is applicable if you also plan to use URL

switching or host switching. If you use the service-group option, URL or
host switching is used for every request to select a service group. The
first time URL or host switching selects a given service group, the load-
balancing method is used to select a real port within the service group.
The next time URL or host switching selects the same service group, the
same real port is used. Thus, service group selection is performed for
every request, but once a service group is selected for a request, the
request goes to the same real port that was selected the first time that
service group was selected.
NOTE: To use URL switching or host switching, you also must configure an
HTTP template with the host-switching or url-switching command.
NOTE: The match type for FWLB is always server, which sets the granu-
larity of source-IP persistence to individual firewalls, not firewall groups or
individual service ports.
For SLB, by default, traffic from a given client to the same virtual port is
always sent to the same real port. This is the most granular setting. (There
is no port keyword.)
For FWLB, the default is server and none of the other match-type options
are applicable.
[no] netmask ipaddr Specifies the granularity of IP address hashing for server port selection.
• To configure server port selection to occur on a per subnet basis, config-

ure the network mask to indicate the subnet length. For example, to send
all clients within a subnet such as 10.10.10.x, 192.168.1.x, and so on
(“class C” subnets) to the same server port, use mask 255.255.255.0. SLB
selects a server port for the first client in a given subnet, the sends all
other clients in the same subnet to the same port.
• To configure server port selection to occur on a per client basis, use

mask 255.255.255.255. SLB selects a server port for the first request
from a given client, the sends all other requests from the same client to
the same port. (This is the default.)
The default is 255.255.255.255.

[no] netmask6 mask-length Specifies the granularity of IPv6 address hashing for initial server port
selection. (See above for more information.)
The default is 128.
page 93
Command Description
[no] timeout minutes Specifies period the mapping remains persistent after the last time traffic
from the client is sent to the server. You can specify 1-2000 minutes (about
33 hours).
The default timeout is 5 minutes.
Default The configuration does not have a default source-IP persistence template. If
you configure one, it has the defaults described in the table above.
Usage The normal form of this command creates a source-IP persistence template.
The “no” form of this command removes the template.
You can bind only one source-IP persistence template to a virtual port.
However, you can bind the same source-IP persistence template to multiple
ports.
If you use the incl-sport option, the IP address in the Forward Source
column of show session output is modified to include the source port. For
example, “155.1.1.151:33067” is shown as “1.151.129.43”.
Using the Same VIP and Port Number for TCP and UDP Ports
When applying the source-IP persistence template to two virtual ports with
the same VIP and protocol port number but different Layer 4 protocols (TCP
or UDP), member lists for the ports must be identical in both TCP and UDP
service groups.
For example, the following configuration works because service groups

5060-tcp and 5060-udp have the same member list although their protocols
are different.
slb virtual-server vip2 13.0.0.100
port 5060 sip-tcp
service-group 5060-tcp
template persist source-ip per-sip
port 5060 sip
service-group 5060-udp
template persist source-ip per-sip
!
slb service-group 5060-tcp tcp
member s1 5060
member s2 5060
!
slb service-group 5060-udp udp
member s1 5060
member s2 5060
The configuration will not work if the member lists in the service groups are
different. For example, the configuration will not work if the TCP group's
member list is changed to either of the following:
page 94

member s3 5060
member s4 5060
or
member s1 5061
member s2 5061
Example The following commands configure a source-IP persistence template named

“persist-source” and set the granularity to service-group:
ACOS(config)# slb template persist source-ip persist-source

ACOS(config-source ip persist)# match-type service-group
slb template persist ssl-sid

Description Direct clients based on SSL session ID.
SSL session-ID persistence directs all client requests for a given virtual port,
and that have a given SSL session ID, to the same real server and real port.
For example, with SSL session-ID persistence configured, all client requests
for virtual port 443 on virtual server 1.2.3.4 that have the same SSL session
ID will be directed to the same real server and port.
The persistence is based on the SSL session ID, not on the client IP address.
Syntax [no] slb template persist ssl-sid template-name

This command enters the SLB Persist SSL-SID Template Configuration
Command Description
dont-honor-conn-rules This option is useful for applications in which multiple sessions (connections)
are likely to be used for the same persistent SSL session ID.
Disabled by default; the connection limit set on real servers and real ports is
used.
[no] timeout minutes Specifies how many minutes the mapping remains persistent after the last
time traffic with the SSL session ID is sent to the server. You can specify 1-250
minutes. The default is 5 minutes.
Default The configuration does not have a default SSL session-ID persistence tem-
plate. If you configure one, it has the defaults described in the table above.
page 95
Usage The normal form of this command creates an SSL session-ID persistence
template. The “no” form of this command removes the template.
You can bind one SSL session-ID persistence template to a virtual port.
However, you can bind the same SSL session-ID persistence template to
multiple ports.
To display SSL session-ID persistence statistics, use the show slb l4
command.
Example The following commands configure an SSL session-ID persistence template

named “ssl-persist” and apply it to virtual port 443 on virtual server “vip1”:
ACOS(config)# slb template persist ssl-sid ssl-persist

ACOS(config-ssl session id persist)# exit
ACOS(config)# slb virtual-server vip1 1.2.3.4
ACOS(config-slb vserver)# port 443 tcp
ACOS(config-slb vserver-vport)# service-group https-sg1
ACOS(config-slb vserver-vport)# template persist ssl-sid ssl-persist
slb template policy

Description See “Config Commands: SLB Policy Templates” on page 141.
slb template port

Description See “Config Commands: SLB Real Port Templates” on page 161.
slb template reqmod-icap

Description See “Config Commands: SLB REQMOD ICAP Templates” on page 175.
slb template respmod-icap

Description See “Config Commands: SLB RESPMOD ICAP Templates” on page 183.
slb template server

Description See “Config Commands: SLB Server Templates” on page 189.
slb template server-ssl

Description See “Config Commands: SLB Server SSL Templates” on page 201.
page 96
slb template sip (over UDP)

Description See “Config Commands: SLB SIP Templates” on page 213.
slb template sip (over TCP/TLS)

Description See “Config Commands: SLB SIP Templates” on page 213.
slb template smpp

Description See “Config Commands: SLB SMPP Templates” on page 237.
slb template smtp

Description See “Config Commands: SLB SMTP Templates” on page 241.
slb template ssli

Description See “Config Commands: SLB SSLi Templates” on page 247.
slb template tcp

Description See “Config Commands: SLB TCP Templates” on page 251.
slb template tcp-proxy

Description See “Config Commands: SLB TCP Proxy Templates” on page 261.
slb template udp

Description See “Config Commands: SLB UDP Templates” on page 277.
slb template virtual-port

Description See “Config Commands: SLB Virtual Port Templates” on page 283.
slb template virtual-server

Description See “Config Commands: SLB Virtual Server Templates” on page 295.
page 97
page 98
Config Commands: SLB Cache Templates
This chapter describes the commands and subcommands for configuring SLB cache templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB Cache Template Configuration Mode Commands
port.
Global Configuration Commands

The following global configuration mode command is available to configure SLB cache templates:
• slb template cache
slb template cache

Description Configure the ACOS device to perform transparent Web caching.
Syntax [no] slb template cache template-name

long.
This command enters the SLB Cache Template Configuration mode where
the commands in SLB Cache Template Configuration Mode Commands are
available.
page 99
Usage The normal form of this command creates a RAM caching configuration
template. The no form of this command removes the template.
You can bind only one RAM caching template to a virtual port. However, you
can bind the same RAM caching template to multiple ports.
If a URI matches the pattern in more than one policy command, the policy
command with the most specific match is used. For example, if a template
has the following commands, content for page122 is cached whereas
content for page123 is not cached:
policy uri /page12 cache 300
policy uri /page123 nocache
Wildcard characters (for example: ? and *) are not supported in RAM Caching
policies. For example, if the string pattern contains “*”, it is interpreted
literally, as the “*” character.
Matching is performed based on containment; all URIs containing the
pattern string match the rule. For example, the following policy matches all
URIs that contain the string “.jpg” and sets the cache timeout for the
matching objects to 7200 seconds:
policy uri .jpg cache 7200
Example The following commands configure a RAM caching template. In this exam-
ple, all the default RAM cache settings are used.
ACOS(config)# slb template cache ramcache

ACOS(config-ram caching)#
Example The following commands configure some dynamic caching policies. The pol-
icy that matches on “/list” caches content for 5 minutes. The policy that
matches on “/private” does not cache content.
ACOS(config)# slb template cache ram-cache

ACOS(config-ram caching)# policy uri /list cache 300
ACOS(config-ram caching)# policy uri /private nocache
Example The following commands configure a RAM caching template that will only
cache content from www.xyz.com/news-clips.
ACOS(config)# slb template cache ramcache

ACOS(config-ram caching)# default-policy-nocache
ACOS(config-ram caching)# policy uri www.xyz.com/news-clips cache
page 100
SLB Cache Template Configuration Mode Commands

The following SLB cache template commands are available:
• accept-reload-req
• age
• default-policy-nocache
• disable-insert-age
• disable-insert-via
• max-cache-size
• max-content-size
• min-content-size
• policy
• remove-cookies
• replacement-policy LFU
• template logging
• verify-host
To access these commands at the SLB cache template level, enter the slb template cache command.
accept-reload-req
Description Enables support for the following Cache-Control headers:
• Cache-Control: no-cache
• Cache-Control: max-age=0
When support for these headers is enabled, either header causes the ACOS
device to reload the cached object from the origin server.
Syntax [no] accept-reload-req
Default Disabled.
Mode SLB cache template configuration mode
ACOS(config)# slb template cache cache1

ACOS(config-ram caching)# accept-reload-req
page 101
age
Description Specifies how long a cached object can remain in the ACOS RAM cache
without being requested.
NOTE: NOTE: his value is used if the web server specifies that the object is
cacheable but does not specify for how long. If the server does spec-
ify how long the object is cacheable, then the server value is used
instead.
Syntax [no] age seconds
seconds Number of seconds (1-999999, about 11.5 days).
Default 3600 seconds (1 hour), if the server specifies that the object is cacheable but
does not specify for how long.
Example Set the age to 7200 seconds (2 hours):

ACOS(config-ram caching)# age 7200
default-policy-nocache
Description Changes the default cache policy in the template from cache to nocache.
This option gives you tighter control over content caching. When you use the
default no-cache policy, the only content that is cached is cacheable content
whose URI matches an explicit cache policy.
Syntax [no] default-policy-nocache
Default Default policy is cache.
Example Set the default policy to nocache:

ACOS(config-ram caching)# default-policy-nocache
page 102
disable-insert-age
Description Disables insertion of Age headers into cached responses.
Syntax [no] disable-insert-age
Default Insertion of Age headers is enabled by default.
Example Disable the insertion of Age headers into cached responses:

ACOS(config-ram caching)# disable-insert-age
disable-insert-via
Description Disables insertion of Via headers into cached responses.
Syntax [no] disable-insert-via
Default Insertion of Via headers is enabled by default.
Example Disable the insertion of Via headers into cached responses:

ACOS(config-ram caching)# disable-insert-via
max-cache-size
Description Specifies the size (in MB) of the RAM cache.
Syntax [no] max-cache-size num
num Maximum size (in MB) of the RAM cache (1-4096).
Default 80MB.
Example Set the maximum RAM cache size to 256MB:

ACOS(config-ram caching)# max-cache-size 256
page 103
max-content-size
Description Specifies the maximum object size that can be cached. The ACOS device will
not cache objects larger than this size. If you specify 0, no objects can be
cached.
Syntax [no] max-content-size num
num Maximum object size in Bytes, 0-268435455 bytes (256MB).
Default 81920 bytes (80 KB).
Example Set the maximum object size to 256MB:

ACOS(config-ram caching)# max-content-size 268435455
min-content-size
Description Specifies the minimum object size that can be cached. The ACOS device will
not cache objects smaller than this size. If you specify 0, all objects smaller
than or equal to the maximum content size can be cached.
Syntax [no] min-content-size num
num Minimum object size in Bytes, 0-268435455 bytes (256MB).
Default 512 bytes.
Example Set the minimum object size to 1024 bytes:

ACOS(config-ram caching)# min-content-size 1024
policy
Description Configure a policy for dynamic caching.
Syntax [no] policy {

local-uri pattern |
uri pattern {cache seconds | invalidate inv-pattern | nocache}
}
page 104
local-uri Specifies the portion of a local URL string to match on (1-63 characters).
uri Specifies the portion of the URL string to match on (1-63 characters).
cache Caches the content.
By default, the content is cached for the number of seconds configured in

the template (set by the age command). To override the aging period set in
the template, specify the number of seconds with the cache command
invalidate Invalidates the content that has been cached for inv-pattern.
nocache Does not cache the content.
Example The following commands configure some dynamic caching policies. The pol-
icy that matches on “/list” caches content for 5 minutes. The policy that
matches on “/private” does not cache content.
ACOS(config)# slb template cache ram-cache

ACOS(config-ram caching)# policy uri /list cache 300
ACOS(config-ram caching)# policy uri /private nocache
remove-cookies
Description Removes cookies from server replies so the replies can be cached. RAM
caching does not cache server replies that contain cookies. (Image files are
an exception. RAM caching can cache images that have cookies.)
Syntax [no] remove-cookies
Default By default, cookies are not removed.

ACOS(config-ram caching)# remove-cookies
replacement-policy LFU
Description Specifies Least Frequently Used (LFU) policy is used to make room for new
objects when RAM cache is full. When RAM cache is more than 90% full,
ACOS device discards least-frequently used objects to ensure room for new
objects.
Syntax [no] replacement-policy LFU
page 105

ACOS(config-ram caching)# replacement-policy LFU
template logging
Description Specifies a logging template to use for external logging of RAM caching
events over TCP.
Syntax [no] template logging {v-log | name}
v-log
name Name of an existing logging template.
Default 512 bytes.
Example Specify a logging template “extlog1” that should be used for logging RAM
caching events:

ACOS(config-ram caching)# tempalte logging extlog1
verify-host
Description Enables the ACOS device to cache the host name in addition to the URI for
cached content. Use this command if a real server that contains cacheable
content will host more than one host name (for example, www.abc.com and
www.xyz.com).
Syntax [no] verify-host
Default By default, this is disabled. Host names are not cached along with URIs for
cached content.

ACOS(config-ram caching)# verify-host
page 106
Config Commands: SLB Client SSL Templates
This chapter describes the commands and subcommands for configuring SLB client SSL templates.
• SLB Client SSL Template Configuration Mode Commands
To apply a template to a virtual port, use template command at the configuration level for the virtual
port.

The following global configuration mode command is available to configure SLB client SSL templates:
• slb template client-ssl
slb template client-ssl

Description Names an SSL client template and enters the configuration mode where you
can enable SSL client services, such as validation of SSL clients.
Syntax [no] slb template client-ssl template-name

long.
This command enters SLB Client-SSL Template Configuration mode where

commands in SLB Client SSL Template Configuration Mode Commands are
available.
Default If none of the SSL Client template sub-commands in the preceding table are
configured, the default action of the SSL Client template is the combined
default actions of the individual SSL C;lient sub-commands.
page 107
Usage The normal form of this command creates a client-SSL configuration tem-
plate. The no form of this command removes the template.
For the forward-proxy-bypass option, match rules are always applied in the
following order:
• equals sni-string
• starts-with sni-string
• contains sni-string
• ends-with sni-string
A client-SSL template can contain up to 128 certificates or certificate chains.

They must be imported onto the ACOS device. To import a certificate or
certificate chain, see the import command or “slb common” on page 20.
You can bind only one client-SSL template to a virtual port. However, you can
bind the same client-SSL template to multiple ports.
The close-notify option can not be used along with the TCP-proxy template
force-delete-timeout option. Doing so may cause unexpected behavior
Example The following commands configure a client-SSL template named “client-

ssl1” that uses imported CA certificates and requires clients to present their
certificates when requesting connections to servers:
ACOS(config)# slb template client-ssl client-ssl1

ACOS(config-client ssl)# ca-cert ca-bundle.crt
ACOS(config-client ssl)# client-certificate require
Example These commands configure a client SSL template to use an imported CA

certificate and key, and an imported Certificate Revocation List (CRL) from
the CA:
ACOS(config)# slb template client-ssl client-ssl1

ACOS(config-client ssl)# ca-cert ca-cert.pem
ACOS(config-client ssl)# ca-cert ca-crl.pem
ACOS(config-client ssl)# client-certificate require
Example The following example shows how the certificate drop action is enabled in
the SSL Client template named, ClientSide_vRouter. Specifically, the drop
action occurs when OCSP reports the certificate is not currently valid.
ACOS-Inside(config)# slb template client-ssl ClientSide_vRouter

ACOS-Inside(config-client ssl# forward-proxy-verify-cert-drop
Example This example demonstrates the forward-proxy-inspect command. In this

example of an AC class-list, all URLs ending with private.abc.com are
bypassed, while all URLs ending with public.abc.com will go through SSLi
processing.
page 108
ACOS# show config class-list

!Section configuration: 77 bytes
!
class-list my_class_list ac
ends-with abc.com
user-tag Security
!
ACOS# config
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# slb template client-ssl SSLi_vip_001_client_ssl
ACOS(config-client ssl)# forward-proxy-inspect class-list my_class_list
ACOS(config-client ssl)# forward-proxy-bypass contains private.abc.com
SLB Client SSL Template Configuration Mode Commands

The following SLB client SSL template commands are available:
• auth-username
• auth-username-attribute
• authorization
• ca-cert
• cert
• chain-cert
• cipher
• client-certificate
• client-certificate-Request-CA
• close-notify
• crl
• dh-param
• disable-sslv3
• ec-name
• enable-tls-alert-logging fatal
• forward-proxy-alt-sign
• forward-proxy-bypass
page 109
• forward-proxy-ca-cert
• forward-proxy-ca-key
• forward-proxy-cache-persistence
• forward-proxy-cert-cache
• forward-proxy-cert-expiry
• forward-proxy-cert-ext
• forward-proxy-cert-not-ready-action
• forward-proxy-cert-revoke-action
• forward-proxy-cert-unknown-action
• forward-proxy-cert-validity
• forward-proxy-crl-disable
• forward-proxy-decrypted dscp
• forward-proxy-enable
• forward-proxy-failsafe-disable
• forward-proxy-inspect
• forward-proxy-log-disable
• forward-proxy-ocsp-disable
• forward-proxy-selfsign-redir
• forward-proxy-source-nat
• forward-proxy-ssl-version
• forward-proxy-trusted-ca
• forward-proxy-verify-cert-fail-action
• hsm-param
• key
• non-ssl-bypass
• ocsp-stapling
• renegotiation-disable
• server-name
• server-name-regex
page 110
• session-cache-size
• session-cache-timeout
• session-ticket-lifetime
• ssl-false-start-disable
• sslv2-bypass
• template
• version
To access these commands at the SLB client SSL template level, enter the slb template client-ssl com-
mand.
auth-username
Description Specifies the field to check in SSL certificates from clients in order to find the
client name.
Syntax [no] auth-username {
[common-name]
[subject-alt-name-email]
[subject-alt-name-othername]
}
common-name Configuring this option causes the ACOS device to extract the client’s
common name from the certificate.
subject-alt-name-email Configuring this option causes the ACOS device to extract the Email
address from the client’s certificate. For example, if the client name is
“[email protected]” then the entire string “[email protected]” would
be extracted with this option
subject-alt-name-othername Configuring this option causes the ACOS device to extract the UPN infor-
mation from the certification. For example, if the client name is
“[email protected]” then the string “user” would be extracted with this
option.
Default The default is common-name.
Mode SLB client SSL template configuration mode
Usage Multiple options can be specified, but you must specify at least one.
If multiple options are specified, the ACOS device will attempt to extract the
username from the options in the order they are specified. For example:
auth-username subject-alt-name-email subject-alt-name-othername
page 111
This command causes the ACOS device to first attempt to extract the
username from subject-alt-name-email, and only if not found, will it then
attempt to extract the username from subject-alt-name-othername.
Example Configure the ACOS device to extract the Email address from the client cer-
tificate:

ACOS(config-client ssl)# auth-username subject-alt-name-email
auth-username-attribute
Description Specify attribute name of username for client SSL.
Syntax [no] auth-username-attribute string
string Attribute name (1-31 characters).
Default None.
Example Configure “username” as the username attribute name:

ACOS(config-client ssl)# auth-username-attribute username
page 112
authorization
Description Specify an LDAP server to user for client SSL authorization.
Syntax [no] authorization {server-name | service-group service-group-name}

[ldap-base-dn-from-cert]
[ldap-search-filter filter-string]
server-name Specifies the name of a previously configured ACOS LDAP authori-
zation server.
service-group service-group-name Specifies the name of a previously configured ACOS LDAP service
group.
ldap-base-dn-from-cert Specifies that LDAP authorization process uses the Subject DN as
the LDAP search base DN.
ldap-search-filter filter-string Provides the LDAP filter used in the authorization process. The
syntax rules for this filter string are provided in RFC 4515.
Example Configure an LDAP server for client SSL authorization:

ACOS(config-client ssl)# authorization ldap1 ldap-base-dn-from-cert
ca-cert
Description Specify the name of the Certificate Authority (CA) certificate to use for vali-
dating client certificates. The CA certificate must be installed on the ACOS
device.
(Use the import ca-cert command to install the CA certificate.)
page 113
If either of the ocsp options is included in the command line, ACOS checks
client’s SSL certificate via OCSP CA rather than using the CRL of the CA-
signer.
Syntax [no] ca-cert cert-name

[ocsp {ocsp-server-name | service-group ocsp-service-group-name}]
cert-name CA certificate name (1-255 characters).
ocsp-server-name Name of the OCSP server.
ocsp-service-group-name Name of the OCSP service group.
Example Example configuration:

ACOS(config-client ssl)# ca-cert exampleCA ocsp ocsp-server1
cert
Description Specifies the name of the certificate to use for terminating or initiating an
SSL connection. The certificate must be installed on the ACOS device.
Syntax [no] cert cert-name
cert-name CA certificate name (1-255 characters).

ACOS(config-client ssl)# cert examplecert
chain-cert
Description Specifies a certificate-key chain.
Syntax [no] chain-cert chain-cert-name
page 114
chain-cert-name Chain certificate name (1-255 characters).

ACOS(config-client ssl)# chain-cert examplechaincert
cipher
Description Specifies the cipher suite to support for certificates from clients.
Syntax [no] cipher cipher-name
cipher-name CA certificate name (1-255 characters).
By default, all supported ciphers are enabled. The supported

cipher are listed at https://www.a10networks.com/support/
axseries/appnotes/A10-Thunder-SSL_Cipher_List.pdf.
You can remove (or re-add) one cipher in the template with a sin-
gle command. Enter separate commands for each cipher to
remove or re-add.

ACOS(config-client ssl)# cipher SSL3_RSA_DES_64_CBC_SHA
page 115
client-certificate
Description Specifies the action that the ACOS device takes in response to a client’s con-
nection request.
Syntax [no] client-certificate {Ignore | Require | Request}
Ignore The ACOS device does not request the client to send its certificate.
Require The ACOS device requires the client certificate. This action requests
the client to send its certificate. However, the SSL handshake does
not proceed (it fails) if the client sends a NULL certificate or the cer-
tificate is invalid.
Request The ACOS device requests the client to send its certificate. With this
action, the SSL handshake proceeds even if either of the following
occurs:
• The client sends a NULL certificate (one with zero length).
• The certificate is invalid, causing client verification to fail.
Use this option if you want the request to trigger an aFleX policy for
further processing.
Default Ignore.

ACOS(config-client ssl)# client-certificate Require
client-certificate-Request-CA
Description Specifies the name of a CA certificate used in requests for client authentica-
tion.
Syntax [no] client-certificate-Request-CA cert-name
Default No default.
Usage Multiple CA certificates can be configured as described in the following

example.
Example The following commands configure the ACOS device to request the client
certificate and to send the list of more than 10 CAs in the certificate request.
page 116
This is achieved by configuring a chain cert (named LargeExample.chain

below) that contains multiple CA certificates:
ACOS(config)#slb template client-ssl client-ssl-example-name

ACOS(config-client ssl)#client-certificate-Request-CA ca1.crt
ACOS(config-client ssl)#client-certificate-Request-CA LargeExam-
ple.chain
close-notify
Description Enables closure alerts for SSL sessions. When this option is enabled, the
ACOS device sends a close_notify message when an SSL transaction ends,
before sending a FIN. This behavior is required by certain types of client
applications, including PHP cgi. For this type of client, if the ACOS device
does not send a close_notify, an error or warning appears on the client.
Syntax [no] close-notify

ACOS(config-client ssl)# close-notify
crl
Description Specifies the names of the Certificate Revocation Lists (CRLs) to use for ver-
ifying whether server certificates have been revoked. The CRLs must be
installed on the ACOS device first. (Use the import command for more
details). The CA certificate relevant to the CRL must also be specified.
When you add a CRL to a server-SSL template, the ACOS device checks the
CRL to confirm whether or not the servers’ certificates have been revoked or
not by the issuing Certificate Authority (CA).
page 117
Syntax [no] crl file-name
file-name CRL file name (1-255 characters).
Example This example shows how to add CRL and CA certificates to a client-SSL tem-
plate.

ACOS(config-client ssl)# client-certificate Require
ACOS(config-client ssl)# crl 10_ca.crt_crl.pem
ACOS(config-client ssl)# crl 20_ca.crt_crl.pem
ACOS(config-client ssl)# crl root-ca.pem.crl.pem
ACOS(config-client ssl)# ca-cert 10_ca_crt
ACOS(config-client ssl)# ca-cert 20_ca.crt
ACOS(config-client ssl)# ca-cert root-ca.pem
NOTE: NOTE: If you plan to use a CRL, you must set the client-certificate
mode to Require. The CRL should be signed by the same issuer as
the CA certificate. Otherwise, the client and ACOS device will not be
able to establish a connection.
dh-param
Description Specify Diffie-Hellman parameters.
Syntax [no] dh-param {1024 | 1024-dsa | 2048}

ACOS(config-client ssl)# dh-param 1024
disable-sslv3
Description Disables support for SSLv3 in client-SSL templates.
page 118
NOTE: NOTE: If you disable SSLv3 support, when ACOS receives an SSL
Hello message from a client, ACOS responds by sending a TCP-FIN
to the client to end the session.
Syntax [no] disable-sslv3
Default SSLv3 support is enabled by default.

ACOS(config-client ssl)# disable-sslv3
ec-name
Description Specifies the Elliptic Curve name.
Syntax [no] ec-name {secp256r1 | secp384r1}
Default secp256r1

ACOS(config-client ssl)# ec-name secp384r1
enable-tls-alert-logging fatal
Description Enables logging of TLS alerts that include the flow information such as
source IP address.
Syntax [no] enable-tls-alert-logging fatal

ACOS(config-client ssl)# enable-tls-alert-logging fatal
page 119
forward-proxy-alt-sign
Description Sets the forward proxy alternate signing certificate and certificate key.
Optionally sets a password phrase and corresponding encrypted password
string.
If the SSL site requested by the client is not on the trusted list (set by the
forward-proxy-trusted-ca command), the inside ACOS device signs the cert
with the key specified by this command.
Syntax [no] forward-proxy-alt-sign cert cert-name key key-name

[pass-phrase {pass-phrase | {encrypted encrypt-pw-string}}]
cert-name Certificate name.
key-name Certificate key.
pass-phrase Password (1-128 characters).
encrypt-pw-string Encrypted password string (1-512 characters).
Example Example configuration.

ACOS(config-client ssl)# forward-proxy-alt-sign cert certA key keyA pass-phrase example-
password
Example The keyword encrypted is only allowed in the no form of the command. For
example:

ACOS(config-client ssl)# forward-proxy-alt-sign cert certA key keyA pass-phrase encrypted
$1$7fe8790d$QepxCQt0M4aG9HUQvgwKO0
forward-proxy-bypass
Description Sets the match criteria for bypassing SSL Insight.
Syntax [no] forward-proxy-bypass {

case-insensitive |
class-list {name | multi-class-list name}
client-auth {
case-insensitive |
class-list name |
contains sni-string |
ends-with sni-string |
equals sni-string |
starts-with sni-string
}
contains sni-string |
ends-with sni-string |
page 120
equals sni-string |
starts-with sni-string |
web-category option
}
case-insensitive Disables case sensitivity for SNI string matching.
class-list Bypasses SSLi when the SNI of the external server URL matches based on the speci-
fied AC class list or class-lists.
When enabled by the multi-class-list command option, you can enter the names
of up to 16 file-type class lists for each slb template client-ssl instance. If not
enabled by the multi-class-list command option, you can enter only one class list
name.
client-auth Bypasses interception of client SSL authentication traffic. The class-list option
specifies an AC class list to use for SNI matching as a required additional criteria. The
sni-string options (equals, contains, ends-with, and starts-with) are described
below; these are SNI string criteria for matching as an additional criteria.
contains A string criteria that matches if the specified string appears anywhere within the SNI
value of the server URL.
ends-with String criteria that matches only if SNI value of the server URL ends with the specified
string.
equals String criteria that matches only if SNI value of the server URL completely matches the
specified string.
starts-with String criteria that matches only if SNI value of the server URL starts with specified
string.
web-category Bypasses traffic to URLs that are within the specified category.
Use web-category ? to view the list of available category options.
Example Example configuration to bypass SSLi for specific web categories:

ACOS(config-client ssl)# forward-proxy-bypass web-category financial-services
ACOS(config-client ssl)# forward-proxy-bypass web-category legal
forward-proxy-ca-cert
Description Name of the CA-signed certificate. Specify the same name you specified
when you uploaded the certificate to the ACOS device. This command
applies only to the certs that are forged on the ACOS device for the intercep-
tion of SSL sessions in SSLi configurations.
page 121
Syntax [no] forward-proxy-ca-cert cert-name
cert-name CA-signed certificate name (1-255 characters).

ACOS(config-client ssl)# forward-proxy-ca-cert myCAcert
forward-proxy-ca-key
Description Name of the private key for the CA-signed certificate. Specify the same
name you specified when you uploaded the key to the ACOS device.
This command applies only to the certs that are forged on the ACOS device
for the interception of SSL sessions in SSLi configurations.
Syntax [no] forward-proxy-ca-key key-name
key-name Key name (1-255 characters).

ACOS(config-client ssl)# forward-proxy-ca-key myCAkey
forward-proxy-cache-persistence
Description Specifies an Aho-Corasick (AC) class-list of SNIs of forged certificates that
are to be retained in the cache when ACOS is rebooted or whenever the
ACOS forward-proxy process is restarted. If an SNI in the certificate matches
an entry in this class list, it is retained; otherwise, it is dropped.
page 122
Syntax [no] forward-proxy-cache-persistence class-list name
name Class-list name (1-63 characters).
Default If a persist class list is not bound to a client-SSL template, the cached forged
certificates do not persist.

ACOS(config-client ssl)# forward-proxy-cache-persistence class-list cl1
forward-proxy-cert-cache
Description Configures forward proxy certificate cache options.
Syntax [no] forward-proxy-cert-cache {limit bytes | timeout seconds}
Paramete
r Description
limit Specifies the certificate cache size limit in bytes (0-2147483647).
The default is 1024. Set the limit to 0 for unlimited size.

timeout Specifies the certificate cache timeout value in seconds (0-
2147483647).
The default is 1 hour.
Set the timeout to 0 for the certificate cache to never timeout. A Cer-
tificate can remain in the cache up to the value set in cache timeout.
When a certificate exceeds that time, it is removed.

ACOS(config-client ssl)# forward-proxy-cert-cache timeout 7200
page 123
forward-proxy-cert-expiry
Description The number of hours that the forward proxy certificates will be valid.
Shortening the lifetime of the forged forward-proxy certs reduces the

security risk if any are stolen. From 1 to 168 hours can be specified.
If the expiry occurs after the validity end-date, then this command will adjust
the validity end date.
Syntax [no] forward-proxy-cert-expiry hours hours
Paramete
r Description
hours Number of hours (1-168).
Default By default, the forged forward proxy certs have the same expiration as the
original certificates.

ACOS(config-client ssl)# forward-proxy-cert-expiry hours 48
forward-proxy-cert-ext
Description Specify the certificate extension for a Certificate Revocation List Distribution
Point (CRLDP) or an Authority Information Access extension for Online Cer-
tificate Status Protocol (OCSP) or Certificate Authority (CA) Issuer for certifi-
cate validation.
Syntax [no] forward-proxy-cert-ext {crldp | aia {ca-issuers | ocsp}} URI
Example Example configuration to add a distribution point extension for a CRL.
ACOS(config)#slb template client-ssl SSL-Client

ACOS(config-client ssl)#forward-proxy-cert-ext crldp http://www.example.com/example.crt
page 124
forward-proxy-cert-not-ready-action
Description Configures the action of the client connection if ACOS does not have the proxied cert ready.
Syntax [no] forward-proxy-cert-not-ready-action {bypass | reset}

• bypass - ACOS bypasses SSL proxy services and forwards the client packets to the
actual SSL server.
• reset - ACOS requests an SSL connection reset. If the proxied cert is ready after the
reset, the SSL proxy session is negotiated.
Default By default, SSL proxy session is bypassed when the proxied cert is not ready.

ACOS(config-client ssl)# forward-proxy-cert-not-ready-action reset
forward-proxy-cert-revoke-action
Description Configures the action of the client connection if OCSP or CRL verification
determines the certificate is irreversibly revoked. The options available are
bypassing SSL Proxy, continuing with the connection, or dropping the con-
nection.
Syntax [no] forward-proxy-cert-revoke-action {bypass | continue | drop}
Default By default, SSL proxy is bypassed if OCSP or CRL verification determines any
certificate in the chain is unknown.

ACOS(config-client ssl)# forward-proxy-cert-revoke-action continue
forward-proxy-cert-unknown-action
Description Configures the action of the client connection if OCSP or CRL verification
determines the certificate status is ‘unknown.’ The options available are
bypassing SSL Proxy, continuing with the connection, or dropping the con-
nection.
page 125
Syntax [no] forward-proxy-cert-unknown-action {bypass | continue | drop}
Default By default, SSL proxy is bypassed if OCSP or CRL verification determines any
certificate in the chain is irreversibly revoked.

ACOS(config-client ssl)# forward-proxy-cert-unknown-action drop
forward-proxy-cert-validity
Description Specify the starting and ending certificate validation period in which the cer-
tificate status and information will be maintained.
Syntax [no] forward-proxy-cert-validity {notafter | notbefore} day month

year
day Set the day of the month (1-31).
month Set the month (1-12).
year Set the year (2005-2035).
Default None.
Mode SLB Client SSL Template Configuration Mode
Example The following example shows how to add the starting validation time of
November 1, 2005 for proxied certificates from the ACOS device.
ACOS(config)#slb template client-ssl SSL-Client

ACOS(config-client ssl)#forward-proxy-cert-validity notbefore 1 11 2005
forward-proxy-crl-disable
Description Disable Certificate Revocation List (CRL) services for SSLi (forward-proxy).
page 126
Syntax [no] forward-proxy-crl-disable
Default By default, CRL for SSLi is enabled.

ACOS(config-client ssl)# forward-proxy-crl-disable
forward-proxy-decrypted dscp
Description Sets the DSCP value for decrypted and bypassed traffic for SSLi configura-
tions.
Syntax [no] forward-proxy-decrypted dscp dscp_value_decrypted
dscp_value_bypassed
dscp_value_decrypted DSCP value for decrypted traffic. The
value ranges from 1 to 63.
dscp_value_bypassed DSCP value for bypassed traffic. The
value ranges from 1 to 63.
Default None.
Usage Use this command to set the DSCP value for encrypted and bypassed traffic
in an SSLi client template. If the service group has a template with DSCP
configured, this command takes precedence.
ACOS(config)# slb template client-ssl SSLi

ACOS(config-client ssl)# forward-proxy-decrypted dscp 6 1
page 127
forward-proxy-enable
Description Enable SSL Insight support.
This command applies only to SSLi configurations.
Syntax [no] forward-proxy-enable

ACOS(config-client ssl)# forward-proxy-enable
forward-proxy-failsafe-disable
Description Forward proxy (SSLi) failsafe enables SSLi traffic interception to be
bypassed when there is a handshake failure. The most common handshake
failures are due to servers only accepting elliptical ciphers.

Syntax [no] forward-proxy-failsafe-disable
Default This feature is enabled by default; use this command to disable SSLi failsafe.

ACOS(config-client ssl)# forward-proxy-failsafe-disable
forward-proxy-inspect
Description Perform SSL Insight only if the traffic matches an entry in the specified class
list. and is not bypassed by any other matching criteria. Only Aho-Corasick
class-lists are supported by this command.
The forward-proxy-inspect criteria are applied first before any forward

proxy bypass matching criteria. If forward-proxy-inspect is not configured,
all SSL sessions are inspected for the other bypass matching criteria.
page 128
Syntax [no] forward-proxy-inspect class-list name
name Class-list name (1-63 characters).
Example The following example shows how the forward-proxy-inspect command

works. In this example of an AC class-list, all URLs ending with pri-
vate.abc.com will be bypassed, while all URLs ending with public.abc.com
will go through SSLi processing.
ACOS# show config class-list

!
class-list my_class_list ac
ends-with abc.com
user-tag Security
!
ACOS# config
ACOS(config-client ssl)# slb template client-ssl SSLi_vip_001_client_ssl
ACOS(config-client ssl)# forward-proxy-inspect class-list my_class_list
ACOS(config-client ssl)# forward-proxy-bypass contains private.abc.com
forward-proxy-log-disable
Description Disable SSL forward proxy (SSLi) logging.
Syntax [no] forward-proxy-log-disable
Default SSLi logging is enabled by default; use this command to disable SSLi log-
ging.

ACOS(config-client ssl)# forward-proxy-log-disable
page 129
forward-proxy-ocsp-disable
Description Disable OCSP Stapling for SSL forward proxy (SSLi).
Syntax [no] forward-proxy-ocsp-disable

ACOS(config-client ssl)# forward-proxy-ocsp-disable
forward-proxy-selfsign-redir
Description With this option enabled, ACOS redirects traffic away from the self-signed
site and to a warning page in which the client sees “The page you have tried
to reach uses an untrusted certificate, please contact your administrator.”
Syntax [no] forward-proxy-selfsign-redir

ACOS(config-client ssl)# forward-proxy-selfsign-redir
forward-proxy-source-nat
Description To provision the SSL-Client template for source NAT, enter this command with either
the auto or pool pool-name option.
Syntax [no] forward-proxy-source-nat {pool pool-name [precedence] | auto

[precedence]}
• pool pool-name
When a fetched SSL session is connected and the source NAT pool
option is configured, the ACOS device replaces the client source IP
address of forwarded SSLi traffic with an address from the specified
NAT pool.
• auto
page 130
When a fetched SSL session is connected and the source NAT auto
option is configured, the ACOS device replaces the client source IP
address of forwarded SSLi traffic with the address of the real server that
is forwarding traffic to the SSL server.
• precedence
Enables source NAT configuration that is defined in the client SSL tem-
plate to have a higher priority than the source NAT defined in the SLB
policy template.
Default Source-NAT is disabled by default.
Usage This command applies only to SSLi configurations.
Example The following example configures dynamic IP addresses for source NAT in
the SSL-Client template:

ACOS(config-client ssl)# forward-proxy-source-nat auto
Example The following example configures static IP addresses for source NAT in the
SSL-Client template with precedence set for source NAT:
ACOS(config)# slb template client-ssl c-ssl2

ACOS(config-client ssl)# forward-proxy-source-nat pool p3
precedence
forward-proxy-ssl-version
Description Specify the version of SSL to be used with SSL Insight.
Syntax [no] forward-proxy-ssl-version {31 | 32 | 33}
31 SSL/TLS v1.0.
32 SSL/TLS v1.1.
33 SSL/TLS v1.2.
Default SSL/TLS v1.2

ACOS(config-client ssl)# forward-proxy-ssl-version 33
page 131
forward-proxy-trusted-ca
Description File in PEM format listing all the trusted CA certificates. When server verifica-
tion is configured using this list, the action is to drop client connections if the
certificate of the outside server is not on the trusted list.
This command applies only to the CA certs that are proxied for on the ACOS
device for the interception of SSL sessions in SSLi (that is, forward-proxy)
configurations.
Syntax [no] forward-proxy-trusted-ca file
file Trusted CA file name (1-255 characters).

ACOS(config-client ssl)# forward-proxy-trusted-ca new_self.crt
ACOS(config-client ssl)# forward-proxy-trusted-ca trustedCAs.pem
forward-proxy-verify-cert-fail-action
Description Configure the action of the client connection if CRL verification of any certifi-
cate fails. The options available are bypassing SSL Proxy, continuing with
the connection, or dropping the connection.
Syntax [no] forward-proxy-verify-cert-fail-action
{bypass | continue | drop}
Default By default, the client connection is dropped if CRL verification of any certifi-
cate in the chain is not successful.

ACOS(config-client ssl)# forward-proxy-verify-cert-fail-action bypass
page 132
hsm-param
Description Specify HSM parameters.
Syntax [no] hsm-param {thales-embed | thales-hwcrhk}
thales-embed Thales embed key.
thales-hwcrhk Thales hwcrhk key.

ACOS(config-client ssl)# hsm-param thales-embed
key
Description Specifies the key for the certificate, and the passphrase used to encrypt the
key.
Syntax [no] key key-name [pass-phrase string]
key-name Key name (1-255 characters).
string Password phrase (1-128 characters).

ACOS(config-client ssl)# key MyKey pass-phrase MyPassword
page 133
non-ssl-bypass
Description Specifies that non-SSL session traffic is redirected to the specified service
group.
Syntax [no] non-ssl-bypass service-group name
name Service group name (1-127 characters).

ACOS(config-client ssl)# non-ssl-bypass service-group Non_SSL_sg1
ocsp-stapling
Description Configure OCSP Stapling support.
Syntax [no] ocsp-stapling ca-cert cert-name ocsp
{auth-server-name | service-group group-name}
[period [days num | hours num | minutes num]
[timeout minutes]
cert-name CA certificate name.
auth-server-name OCSP authentication server name (1-63 characters).
group-name OCSP authentication service-group name (1-127 charac-
ters).
period Specifies how often ACOS contacts the server or service
group for updates.
Default is 1 hour.
timeout Specifies the timeout for server retries, 1-65535.
Default is 30 minutes.

ACOS(config-client ssl)# ocsp-stapling ca-cert MyCACert ocsp AuthServerName period hours 2
page 134
renegotiation-disable
Description Disable automatic TLS/SSL renegotiation.
ACOS allows for renegotiation of SSL connections over previously secured

channels to help speed up the re-establishment of previous SSL connections
with known clients. Disabling TLS/SSL renegotiations can help prevent
vulnerabilities that may lead to SSL/TLS renegotiation Man-In-TheMiddle
Attacks.
Syntax [no] renegotiation-disable
Default TLS/SSL renegotiations are enabled by default.
server-name
Description Configure Server Name Indication (SNI) in the client Hello extension.
Syntax [no] server-name server-name cert cert-name key key-name
[pass-phrase string]
server-name Server name string (1-63 characters).
cert-name Server certificate associated to SNI (1-255 characters).
key-name Server private key associated to SNI (1-255 characters).
string Help password phrase (1-128 characters).

ACOS(config-client ssl)# server-name SNIServer cert SNICert key SNIKey pass-phrase SNIHelp
server-name-regex
Description Configure Server Name Indication (SNI) in the ClientHello extension with reg-
ular expressions. The wildcard support includes the following regular expres-
sion symbols:
^ $ . | * + [ {
Usage of the following symbols is not supported:

? ( ) \
page 135
When a new connection request is made from client, the SNI from TLS
extension in ClientHello is captured and first checked against “server-name”
config with existing hash method. If no match found, it is compared with the
compiled regex string configured by server-name-regex. When multiple
server-name-regex entries match, the cert/key associated with the best
match is used.
Syntax [no] server-name server-name cert cert-name key key-name
[pass-phrase string]
server-name Server name string (1-63 characters).
cert-name Server certificate associated to SNI (1-255 characters).
key-name Server private key associated to SNI (1-255 characters).
string Help password phrase (1-128 characters).

ACOS(config-client ssl)# server-name SNIServer cert SNICert key SNIKey pass-phrase SNIHelp
Example These commands configure a client-SSL template that uses a wildcard entry
as the fully qualified domain name, thereby binding many server names in
client hello extensions with one certificate and key configuration. In this
example, the regex characters allow a match on www.exaple.com or
www.exmple.com.

ACOS(config-client ssl)# server-name-regex www.ex[am]ple.com cert cert1 key cert1
page 136
session-cache-size
Description Maximum number of cached sessions for SSL session ID reuse.
Syntax [no] session-cache-size entries
entries Number of entries.
The range of values allowed is from 0 to a maximum

dependent on the platform on which ACOS is running.
The value 0 disables session ID reuse.
Default The default is 0; session ID reuse is disabled.

ACOS(config-client ssl)# session-cache-size 1000
session-cache-timeout
Description Sets the maximum number of seconds a cache entry can remain unused
before being removed from the cache. Cache entries age according to the
ticket age time. The age time is not reset when a cache entry is used.
Syntax [no] session-cache-timeout seconds
seconds Number of seconds (0 - 604800 seconds).
Default The default is 0; session cache timeout is disabled.

ACOS(config-client ssl)# session-cache-timeout 5400
session-ticket-lifetime
Description Sets the lifetime for stateless SSL session ticketing. After a client’s SSL
ticket expires, they must complete an SSL handshake in order to set up the
next secure session with ACOS.
page 137
NOTE: This option is only supported on vThunder systems, and is not sup-
ported on hardware A10 Thunder Series or AX Series devices
Syntax [no] session-ticket-lifetime seconds
seconds Number of seconds.
Setting the lifetime to 0 disables the feature.
Default The default is 0; session ticket lifetime is disabled.

ACOS(config-client ssl)# session-ticket-lifetime 7200
ssl-false-start-disable
Description SSL False Start support for Google Chrome browser.
NOTE: The following ciphers are not supported for SSL False Start in the
current release:
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_EXPORT1024_RC4_56_MD5
If no other ciphers but these are enabled in the client-SSL template,

SSL False Start handshakes will fail.
Syntax [no] ssl-false-start-disable
Default SSL false start is enabled by default.

ACOS(config-client ssl)# ssl-false-start-disable
page 138
sslv2-bypass
Description Redirects clients who request SSLv2 sessions to the specified service group.
Syntax [no] sslv2-bypass service-group service-group-name
service-group-name Name of the service group (1-127 characters).

ACOS(config-client ssl)# sslv2-bypass service-group SSLv2_SG
template
Description Name of a cipher or HSM template to bind to client-SSL and server-SSL tem-
plates. In this case, the settings in the cipher template override any cipher
settings in the client-SSL template.
Syntax [no] template {cipher template-name | hsm template-name}
cipher SLB cipher template name (1-63 characters).
hsm HSM template name (1-63 characters).

ACOS(config-client ssl)# template cipher SLB_Cipher_Template
page 139
version
Description Downgrades or disables the TLS or SSL version specified in the client-SSL
template.
Syntax [no] version current_version downgrade_version
current_version Current TLS or SSLv3 version of the
client‐SSL certificate. The value ranges
from 30 to 33. The values are:
• 30-SSLv3.0
• 31-TLSv1.0
• 32-TLSv1.1
• 33-TLSv1.2
downgrade_version Downgraded TLS version of the client‐
SSL template.
Default The default version value is “33 31”, which means TLSv1.2 to TLSv1.0 is sup-
ported by default.
Usage SSLv3.0 is disabled by default. Run the command version 33 30 to enable support
for SSLv3.0.The disable-sslv3 command has higher precedence than the
version command.
Example Downgrade TLSv1.2 to TLSv1.1 for the client SSL template clientssl:

ACOS(config-client ssl)# version 33 32
page 140
Config Commands: SLB Policy Templates
This chapter describes the commands and subcommands for configuring SLB policy templates.
• SLB Policy Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB policy templates:
• slb template policy
slb template policy

Description Configure a template of Policy-Based SLB (PBSLB) settings.
Syntax [no] slb template policy template-name
template-name Template name (1-127 characters)
This command enters the SLB Policy Template Configuration Mode

Commands for the specified policy template.
Default The configuration does not have a default SIP over UDP template.
page 141
Usage The normal form of this command creates a PBSLB template. The no form of
this command removes the template.
You can bind only one PBSLB template to a virtual port. However, you can
bind the same PBSLB template to multiple ports.
PBSLB configuration on a virtual port can be set either using a template or by

configuring the individual settings on the port. Individual PBSLB settings and
a PBSLB template can not be configured on the same virtual port.
Apply the Policy Globally or on Individual Virtual Ports
The ACOS device also allows policy templates to be applied at the virtual-
server level. However, PBSLB does not take effect if you apply the policy
template at the virtual-server level. Only class lists are supported at the
virtual-server level. To use PBSLB, apply the policy template globally or on
individual virtual ports.
Comparing TCP and HTTP Template Application
For HTTP virtual servers:
• Connection limits are only applied at the Layer 4 TCP level.

• For Layer 7 HTTP, you must configure request limits or request-rate lim-
its.
Consider the following example, with “example-clist” class list applied to the
“example-policy” template:
ACOS(config)# class-list example-clist
ACOS(config-class list)# 100.1.0.0/16 lid 1
ACOS(config-class list)# exit
ACOS(config)# slb template policy sample-policy
ACOS(config-policy)# class-list example-clist
ACOS(config-policy-class-list:example-cl...)# lid 1
ACOS(config-policy-class-list:example-cli...)# conn-limit 5
ACOS(config-policy-class-list:example-cli...)# over-limit-action
forward log
ACOS(config-policy-class-list:example-cli...)# exit
ACOS(config-policy-class-list:example-cl...)# exit
ACOS(config-policy)# exit
This template can be applied to the following virtual server at Layer 4 TCP:
ACOS(config)# slb virtual-server example-vs-tcp 30.1.1.100
ACOS(config-slb vserver-vport)# template policy sample-policy
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit
page 142
However, for the following virtual server, the “example-policy” template

would not take effect, since connection limits are not applied at the Layer 7
HTTP level:
ACOS(config)# slb virtual-server example-vs-http 40.1.1.100
ACOS(config-slb vserver-vport)# template policy sample-policy
ACOS(config-slb vserver)# exit
ACOS(config)#
For the “example-vs-http” virtual server, you must configure request limits
and request rate limits. For example:
ACOS(config)# slb template policy sample-policy-2
ACOS(config-policy)# class-list example-clist
ACOS(config-policy-class-list:example-cl...)# lid 1
ACOS(config-policy-class-list:example-cli...)# request-limit 10
ACOS(config-policy-class-list:example-cli...)# over-limit-action
forward log
ACOS(config-policy-class-list:example-cli...)#
Example These commands configure a PBSLB template and bind it to a virtual port:
ACOS(config)# slb template policy bw1

ACOS(config-policy)# bw-list name bw1
ACOS(config-policy)# bw-list id 2 service srvcgroup2
ACOS(config-policy)# bw-list id 4 drop
ACOS(config-policy)# exit
ACOS(config)# slb virtual-server PBSLB_VS1 10.10.10.69
ACOS(config-slb vserver-port)# template policy bw1
Example The following example configures a bandwidth limit per source IP, using a
policy template and class list.
Configure the class list:

ACOS(config)# class-list clist1
ACOS(config-class list)# 100.100.1.1/24 lid 1
ACOS(config-class list)# exit
Configure the PBSLB template:

ACOS(config)# slb template policy p1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
Configure the bandwidth limit (1 MB per second), and reset the connection
when the limit is exceeded.
page 143
ACOS(config-policy-class-list:clist1-lid:1)# bw-rate-limit 1000 per 10

ACOS(config-policy-class-list:clist1-lid:1)# over-limit-action reset
SLB Policy Template Configuration Mode Commands

The following SLB policy template commands are available:
• bw-list id
• bw-list name
• bw-list over-limit
• bw-list timeout
• bw-list use-destination-ip
• class-list
• forward-policy
• geo-location full-domain-tree
• geo-location overlap
• geo-location share
To access these commands at the SLB policy template level, enter the slb template policy command.
page 144
bw-list id
Description Specifies the action to take for clients using a Black/White list ID.
Syntax [no] bw-list id id {service-group name | drop | reset}

[logging [minutes] [fail]}
id Group ID in the Black/White list (0-1023).
name Sends clients to the SLB service group with the specified name on the ACOS device.
drop Drops connections for IP addresses that are in the specified group.
reset Resets connections for IP addresses that are in the specified group.
logging Enables logging. The minutes option specifies how often messages can be generated. This
option reduces overhead caused by frequent recurring messages.
For example, if the logging interval is set to 5 minutes, and the PBSLB rule is used 100 times
within a five-minute period, the ACOS device generates only a single message. The message
indicates the number of times the rule was applied since the last message. You can specify a
logging interval from 0 to 60 minutes. To send a separate message for each event, set the
interval to 0.
PBSLB rules that use the service-group name option also have a fail option for logging.
This option configures the ACOS device to generate log messages only when there is a failed
attempt to reach a service group. Messages are not generated for successful connections to
the service group. The fail option is disabled by default.
The fail option is not available for rules with the drop or reset option, since any time a
drop or reset rule affects traffic, this indicates a failure condition.
Logging is disabled by default. If you enable it, the default is 3 minutes.
Mode SLB policy template
Example Drop connections for clients matching Black/White list 3.

ACOS(config-policy)# bw-list id 3 drop
page 145
bw-list name
Description Binds the specified Black/White list to the virtual ports that use this tem-
plate.
Syntax [no] bw-list name name
name Black/White list file name.
Example Bind the Black/White list “example-bw-list” to virtual ports using this tem-
plate.

ACOS(config-policy)# bw-list name example-bw-list
bw-list over-limit
Description Specifies the action to take for traffic that is over the limit.
Syntax [no] bw-list over-limit {lockup lock-min | logging log-min | reset}
lock-min Do not accept any new connections for the specified number of
minutes (1-127).
log-min Generates a log message when traffic goes over the limit. This
option specifies the log interval and can be 1-255 minutes.
reset Resets new connections until the number of concurrent connec-
tions on the virtual port falls below the connection limit.
Default Drop
Usage The over-limit rule in a system-wide PBSLB policy includes an optional

lockup period. If the lockup period is configured, the ACOS device continues
to enforce the over-limit action for the duration of the lockup.
For example, if the over-limit action is drop, and a client exceeds the
connection limit that is specified in the Black/White list, the ACOS device
continues to drop all connection attempts from the client until the lockup
expires.
By default, the lockup option is disabled. To enable it, you must specify a
lockup period of 1-127 minutes.
page 146
The dynamic Black/White-list entry for a client does not age while the client
is locked up. After the lockup ends, the timeout for the entry is reset to its full
value and begins decreasing.
Example When traffic goes over the limit, do not accept any new connections for five
minutes.

ACOS(config-policy)# bw-list over-limit lockup 5
bw-list timeout
Description Number of minutes dynamic Black/White-list client entries can remain idle
before aging out.
Syntax [no] bw-list timeout num
num Number of minutes (1-127).
Default 5 minutes
Example Configure the timeout to 7 minutes.

ACOS(config-policy)# bw-list timeout 7
bw-list use-destination-ip
Description Matches Black/White list entries based on the client’s destination IP
address, instead of matching by client source address. Generally, this option
is applicable when wildcard VIPs are used.
Syntax [no] bw-list use-destination-ip
Default Disabled by default; the ACOS device matches by client source IP address.
Example Enable this feature.

ACOS(config-policy)# bw-list use-destination-ip
page 147
class-list
Description Create a class-list or geo-location class-list within the template.
Syntax [no] class-list name
name Name of the class-list (1-63 characters).
This command places you in a sub-configuration mode, where the following

additional commands are available:
Command Description
[no] client-ip Specifies the IP address to use for matching entries in an IP class list.
{l3-dest | l7-header [name]}
l3-dest
Matches based on the destination IP address in packets from clients.
l7-header [name]
Matches based on the IP address in the specified header name in pack-
ets from clients. If you do not specify a header name, the X-Forwarded-
For header is used. This is available only with request-limit and
request-rate-limit.
By default, the client’s IP address is used.

[no] lid num Adds a Limit ID (LID) entry to the class list, to specify traffic limits for cli-
ent traffic. Value of num ranges from 1 to 1023.
This command enters another configuration sub-mode, where the com-

mands described in “SLB Policy Template Class-List LID Configuration
Commands” on page 155 are available.
Usage The class-list request-limit and request-rate-limit options apply only to

HTTP, fast-HTTP, and HTTPS virtual ports.
These options, when configured in a policy template, are applicable only in

policy templates that are bound to virtual ports. These options are not
applicable in policy templates bound to virtual servers (rather than individual
ports).
The over-limit-action log option, when used with request-limit or

request-rate-limit, always lists Ethernet port 1 as the interface.
page 148
forward-policy
Description Configure a forward policy of an slb policy template to specify permitted traf-
fic destinations and sources along with the actions to apply. Forward policy
is a required component when configuring an explicit HTTP proxy.
Syntax [no] forward-policy
This command changes the CLI to forward-policy configuration mode, where

the commands in Table 1 are available:
TABLE 1 Commands in the forward-policy Configuration Mode

Command Description
action action-name Command in forward-policy configuration mode that specifies what to do
with requests. This command places you in a sub-configuration mode,
where the commands in Table 2 are available.
no-client-conn-reuse Command in forward-policy configuration mode that dictates that the
HTTP/HTTPS client will not send multiple requests to different destina-
tions over the same TCP connection between the client and the ACOS
device. This command has no sub-commands or command options.
NOTE: In the case of transparent proxy with SSL or SSLi, the no-client-
conn-reuse command is not supported.
source source-name Command in forward-policy configuration mode to specify match rules for
traffic sources and destination rules to define what destinations clients are
allowed to access. Multiple source rules may be defined, but only a single
source rule of match-any may be defined. This command places you in a
sub-configuration mode, where the commands in Table 3 are available.
ssli-url-filtering Command in forward-policy configuration mode to change default actions
{bypassed-sni-disable | related to the ACOS device device being used as a transparent proxy in
intercepted-sni-enable | SSLi.The following options are available for this command at this level:
intercepted-http-disable |
no-sni-allow}
• bypassed-sni-disable
By default, an SNI extension inspection is done on bypassed transparent
proxy SSLi traffic. Use this parameter to disable SNI inspection on
bypassed traffic.
• intercepted-sni-enable
By default, intercepted traffic is inspected only at the HTTP header level.
Use this parameter to enable SNI matching for intercepted transparent
proxy SSLi traffic.
• intercepted-http-disable
By default, intercepted transparent proxy SSLi traffic has the HTTP
header inspected. Use this parameter to disable http header inspection
for intercepted transparent proxy SSLi traffic.
• no-sni-allow
By default, if SNI filtering is enabled for bypassed or intercepted connec-
tions, and an SNI extension is not present, the packet is dropped. Use
this parameter to allow requests to be forwarded if SNI extension is not
found for transparent proxy SSLi traffic.
page 149
TABLE 2 Sub-Commands in the forward-policy action Configuration Mode

Command Description
[no] drop Sub-command in forward-policy-action configuration mode to drop
traffic.
[no] forward-to-internet fwd-sg Sub-command in forward-policy-action configuration mode to spec-
[snat snat-pool-name] ify the service-group name to send internet traffic to. The following
[fallback fallback-sg [snat fb- options are available in this command:
snat-pool-name]
• snat snat-pool-name
Parameters that apply a configured source NAT.
• fallback fallback-sg
Parameters that specify a service-group to send requests to for
approved destinations that the ACOS device device cannot resolve
.
• snat fb-snat-pool-name
Parameters that apply a configured source NAT for fallback
requests.
[no] Sub-command in forward-policy-action configuration mode to spec-
forward-to-service-group fwd-sg ify the service-group to send service-group traffic to. The following
[snat snat-pool-name] options are available in this command:
forward-to-proxy fwd-sg [snat Sub-command in forward-policy-action configuration mode to spec-
snat-pool-name] ify the service-group to send HTTP proxy server traffic to. This
chains an ACOS device to an upstream proxy server when ACOS
acts as a proxy. The following options are available in this command:
[no] log Sub-command in forward-policy-action configuration mode to pro-
vide log of actions taken.
[no] drop-message text Sub-command in forward-policy-action configuration mode. Follow-
ing the drop command, specify a message to appear. A default
“Access to this site is blocked by administrator” message appears if
nothing is specified.
• Commands drop-message and drop-redirect-url are mutually

exclusive actions. If both are entered, the prior command will be
overwritten by the more recent one.
• The command drop-message is not supported with SNI filtering.
page 150
TABLE 2 Sub-Commands in the forward-policy action Configuration Mode

Command Description
[no] drop-redirect-url url Sub-command in forward-policy-action configuration mode.
http-status-code
http-status-code] Following a drop command, specify a url to redirect to after a
client’s request is dropped. The http-status-code default is 302
Found.
• Commands drop-message and drop-redirect-url are mutually

exclusive actions. If both are entered, the prior command will be
overwritten by the more recent one.
• The command drop-redirect-url is not supported with SNI fil-

tering.
[no] sampling-enable {all | Sub-command in forward-policy-action configuration mode. Specify
hits} sampling-enable to enable baselining for all requests or for requests
that match the destination rule.
no-client-conn-reuse Command in forward-policy configuration mode that dictates that
the HTTP/HTTPS client does not send multiple requests to different
destinations over the same TCP connection between client and
ACOS device. This command has no sub-commands or command
options.
NOTE: In the case of transparent proxy with SSL or SSLi, the

no-client-conn-reuse command is not supported.
page 151
TABLE 3 Sub-Commands in the forward-policy source Configuration Mode

Command Description
[no] destination any {action Sub-command in forward-policy-source configuration mode to
action-name | sampling-enable specify the destination rule to default to for requests. The following
{all | hits}} options are available in this command:
• action action-name
Specify the action to take for requests not defined.
• sampling-enable {all | hits}

Specify sampling-enable to enable baselining for all requests or
for requests that match the destination rule.
[no] destination {class-list Sub-command in forward-policy-source configuration mode to
class-list- name | specify the destination to send internet traffic to, either based on a
web-category-list class-list or web-category list. The following options are available in
web-category-list-name} {action this command:
action-name} {host |ip | url}
{priority priority-num}
[sampling-enable {all | hits}] • class-list class-list-name
Specify the allowed class-list to apply your action to. An Aho-Cora-
sick or IP type class list may be used.
• web-category-list web-category-list-name
Specify the web-category-list to apply your action to.
• action action-name
Specify the action to take for the previously defined class-list or
web-category-list.
• host | ip | url
Define if a match should be based on the HTTP host header, or
layer 3 IP address, or HTTP URL. The ip parameter is not applica-
ble to
web-category-list, and will not show up as an option for this
configuration.
• priority priority num
Define the priority by providing a number for priority num. The

number determines what rule to use when multiple matches
occur.
• sampling-enable {all | hits}

Specify sampling-enable to enable baselining for all requests or
for requests that match the destination rule.
[no] match-any Sub-command in forward-policy-source configuration mode for
specifying a rule to when there is no class-list or web-category list
match from defined sources.
[no] match-authorize-policy Specify an aam authorization policy template to determine member-
authoriz-policy-name ship of users.
page 152
TABLE 3 Sub-Commands in the forward-policy source Configuration Mode

Command Description
[no] match-class-list class-list Sub-command in forward-policy-source configuration mode for
specifying the IPv4 or IPv6 class-list name to use with the matching
source rule.
Specify the class-list to match the source rule; multiple class-

lists can be specified by using one command per class-list.
[no] priority num Specify a source’s priority for aam authorization policy checking.
The highest priority that may be defined is 1024. Each priority must
have a unique value.
[no] sampling-enable {all | Sub-command in forward-policy-source configuration mode to
destination-match-not-found | specify baselining. The following options are available in this com-
hits | no-host-info}... mand at this level:
• all
Gather the number of all requests.
• hits
Gather the number of requests that match the defined source
rule.
• destination-match-not-found
Gather the number of requests with no matching destination rule.
• no-host-info
Gather number of requests that failed to parse ip or host informa-
tion.
Usage The forward policy action command defines actions that can be taken,
and is normally used in conjunction with forward-policy source rules that
link destination and matching rules for an slb template policy.
forward-to-internet fw-sg is just a placeholder.
Example Configure the action list Default_Deny to drop packets

ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# action Default_Deny
ACOS(config-policy-forward-policy-action)# drop
Example Configure the source list Any_Source to apply the Default_Deny action for
any requests that are not defined by a class-list or web-category-list
ACOS(config-policy-forward-policy)# source Any_Source

ACOS(config-policy-forward-policy-source)# match-any
page 153
ACOS(config-policy-forward-policy-source)# destination any action Default_Deny
Example Configure the source s1 to match IPs from class-list Src-List and links the
destinations from class-list dest with rules to apply from the a1 action
sub template, using a url check with a priority of 10.

ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# source s1
ACOS(config-policy-forward-policy-source)# match-class-list Src-List
ACOS(config-policy-forward-policy-source)# destination class-list dest action a1 url pri-
ority 10
geo-location full-domain-tree
Description Checks current connection count for the client’s specific geo-location and
for all geo-locations higher up in the domain tree.
It is recommended to enable or disable this option before enabling GSLB.

Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Syntax [no] geo-location full-domain-tree
Default Disabled by default; when a client requests a connection, the ACOS device
checks the connection count only for the specific geo-location level of the cli-
ent. If the connection limit for that specific geo-location level has not been
reached, the client’s connection is permitted.

ACOS(config-policy)# geo-location full-domain-tree
geo-location overlap
Description Enables overlap matching mode. If there are overlapping addresses in the
Black/White list or class list, use this option to enable the ACOS device to
find the most precise match.
Syntax [no] geo-location overlap
Default Disabled
page 154

ACOS(config-policy)# geo-location overlap
geo-location share
Description Enables sharing of PBLSB statistics counters for virtual servers and virtual
ports that use the template. This option causes the following counters to be
shared:
• Permit
• Deny
• Connection number
• Connection limit
It is recommended to enable or disable this option before enabling GSLB.

Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Syntax [no] geo-location share
Default Disabled

ACOS(config-policy)# geo-location share
SLB Policy Template Class-List LID Configuration

Commands
This section describes the commands available at the SLB policy template class-list LID configuration
level. Below is an example of how to access this level:
ACOS(config)# slb template policy pol1

ACOS(config-policy-class-list:clist1-lid:1)#
• action
• bw-rate-limit
page 155
• conn-limit
• conn-rate-limit
• over-limit-action
• request-limit
• request-rate-limit
• response-code-rate-limit
action
Description Specifies the ACOS behavior when a request matches the class list entry for
servers using the template.
Syntax [no] action MATCH-ACTION [LOG-TYPE]
MATCH-ACTION Specifies the behavior. Valid options include:
• service-group grp-name request is forwarded to specified service

group.
• reset ACOS sends RST to the
• drop ACOS drops the request

LOG-TYPE Specifies the log messages generated when a request matches the class list.
Valid options include.
• <no parameter> no entries are logged
• logging 0 actions are immediately logged
• logging <1 to 60> event are logged at the specified interval (minutes).
Default value is three.
• logging fail only unsuccessful connections are logged.
Mode SLB policy template class-list LID
Example This example configures the device to forward matching requests to the ser-
vice group gp1 and create a log entry every 15 minutes.

ACOS(config-policy-class-list:clist1-lid:1)# action service-group group1 logging 15
ACOS(config-policy-class-list:clist1)# end
The show class-list command provides a hitcount parameter that displays

the number of times a class list LID is matched:
page 156
ACOS# show class-list clist1

Name: clist1
Total single IP: 2
Total IP subnet: 1
Content:
1.1.1.1/32 lid 3 hitcount 0
1.1.1.2/32 lid 2 hitcount 0
13.13.13.0/24 lid 1 hitcount 3
bw-rate-limit
Description Configure the bandwidth rate limit for servers that use this template.
Syntax [no] bw-rate-limit num-bytes per num-100ms
num-bytes Rate limit in bytes (1-2147483647).
num-100ms Rate interval in number of 100ms increments (1-65535).
Example This example configures a bandwidth rate limit of 1,024,000 bytes per sec-
ond (10 100ms intervals):

ACOS(config-policy-class-list:clist1-lid:1)# bw-rate-limit 1024000 per 10
conn-limit
Description Specifies the maximum number of concurrent connections allowed for a cli-
ent.
Syntax [no] conn-limit num
num Maximum number of concurrent connections allowed (0-
1048575).
Connection limit 0 immediately locks down matching clients.
Example This example configures a connection limit of 10000 concurrent connec-

tions.
page 157

ACOS(config-policy-class-list:clist1-lid:1)# conn-limit 10000
conn-rate-limit
Description Specifies the maximum number of new connections allowed for a client
within the specified limit period.
Syntax [no] conn-rate-limit num-conn per num-100ms
num-conn Maximum number of new connections allowed (1-
2147483647).
num-100ms Interval in number of 100ms increments (1-65535).
Example This example configures 1,000,000 new connections allowed per second (10
100ms intervals):

ACOS(config-policy-class-list:clist1-lid:1)# conn-rate-limit 1000000 per 10
over-limit-action
Description Specifies the action to take when a client exceeds one or more of the limits.
The command also configures lockout and enables logging.
Syntax [no] over-limit-action [forward | reset] [lockout minutes]
[log minutes]
drop The ACOS device drops that traffic. If logging is enabled, the ACOS device
also generates a log message.
NOTE: There is no drop keyword; this is the default action.

forward The ACOS device forwards the traffic. If logging is enabled, the ACOS device
also generates a log message.
reset For TCP, the ACOS device sends a TCP RST to the client. If logging is enabled,
the ACOS device also generates a log message.
lockout Specifies the number of minutes during which to apply the over-limit action
after the client exceeds a limit. The lockout period is activated when a client
exceeds any limit. The lockout period can be 1-1023 minutes.
page 158
log Generates log messages when clients exceed a limit. When logging is
enabled, a separate message is generated for each over-limit occurrence, by
default. You can specify a logging period where the ACOS device holds the
repeated messages for the specified period, then sends one message at the
end of the period for all instances within the period. The logging period can be
0-255 minutes.
The default is 0 (no wait period)
request-limit
Description Specifies maximum number of concurrent Layer 7 requests allowed for a cli-
ent.
Syntax [no] request-limit num
num Number of concurrent Layer 7 requests (1-1048575).
request-rate-limit
Description Specifies the maximum number of Layer 7 requests allowed for the client
within the specified limit period.
Syntax [no] request-rate-limit num-req per num-100ms
num-req Maximum number of new requests allowed (1-4294967295).
num-100ms Interval in number of 100ms increments (1-65535).
response-code-rate-limit
Description Configure a limit for the number of times a specified range of server
response codes is received in a specified period of time.
page 159
NOTE: This feature only works for SMTP virtual ports. See the example
below.
Syntax [no] response-code-rate-limit

start-code-range - end-code-range num per seconds
start-code-range Start rage of server response codes (100-600).
end-code-range End range of server response codes (100-600).
num Number of times there is a match on the specified
response code(s).
seconds Time limit interval, in seconds.
Example This example configures a policy template with a response code rate limit
and then applies the template to an SMTP virtual port. The response code
rate limit will be exceeded when there are:
• 2 matches every 20 seconds for response codes numbered 500-590

• 15 matches per 127 seconds for response codes numbered 300-390
If either limit is exceeded, the reset action is applies fro 10 minutes and
logged.
ACOS(config-policy-class-list:clist1-lid:1)# over-limit-action reset lockout 10 log
ACOS(config-policy-class-list:clist1-lid:1)# response-code-rate-limit 500 - 590 2 per 20
ACOS(config-policy-class-list:clist1-lid:1)# response-code-rate-limit 300 - 390 15 per 127
ACOS(config-policy-class-list:clist1-lid:1)# end
ACOS# configure
ACOS(config)# slb virtual-server VS_SMTP1 10.5.5.10
ACOS(config-slb vserver)# port 25 smtp
ACOS(config-slb vserver-vport)# template policy pol1
page 160
Config Commands: SLB Real Port Templates
This chapter describes the commands and subcommands for configuring SLB real port templates.
• SLB Port Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB real port templates:
• slb template port
slb template port

Description Configure a template of SLB settings for service ports on real servers.
Syntax [no] slb template port {default | template-name}
default Edit the default port template. This template can be modified
in the same way as any custom template-name you specify.
This command enters the SLB Port Template Configuration Mode

Commands for the specified port template.
page 161
CAUTION: Before changing a default template, make sure the changes you plan
to make are applicable to all virtual ports that use the template.
Usage The normal form of this command creates a real port template. The no form
You can bind only one real port template to a real port. However, you can
bind the real port template to multiple real ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual port.
• If a parameter is set (or changed from its default) in both a template and
on the individual port, the setting on the individual port takes prece-
dence.
• If a parameter is set (or changed from its default) in a template but is
not set or changed from its default on the individual port, the setting in
the template takes precedence.
Example The following example configures a real port template named “common-
rpsettings”, enables slow-start in the template, and binds the template to a
real port:
ACOS(config)# slb template port common-rpsettings

ACOS(config-rport)# slow-start from 256
ACOS(config-rport)# exit
ACOS(config-real server-node port)# template port common-rpsettings
SLB Port Template Configuration Mode Commands

The following SLB port template commands are available:
• bw-rate-limit
• conn-limit
• conn-rate-limit
• del-session-on-server-down
• dest-nat
• down-grace-period
page 162
• dscp
• dynamic-member-priority
• extended-stats
• health-check
• health-check-disable
• inband-health-check
• no-ssl
• request-rate-limit
• slow-start
• source-nat
• stats-data-disable
• stats-data-enable
• weight
To access these commands at the SLB port template level, enter the slb template port command.
bw-rate-limit
Description Configure the bandwidth rate limit for ports that use this template.
Syntax [no] bw-rate-limit limnum resume resnum duration durnum [no-logging]
limnum Bandwidth rate limit number in Kbps (1-16777216).
resnum Resume port selection after bandwidth drops below this thresh-
old, in Kbps (1-16777216).
durnum Time period the rate limit needs to honor to both exceed bw-
rate-limit number and drop below resume number, in seconds
(1-250).
no-logging Do not log bandwidth rate limit related state transitions.
Default Not set
Mode SLB port template
page 163
conn-limit
Description Maximum number of connections allowed on the port using this template.
Syntax [no] conn-limit max-num [resume resume-num] [no-logging]
max-num Maximum number of concurrent connections (0-8000000).
resume-num Maximum number of connections the port can have before the
ACOS device resumes use of the port (1-1048575).
no-logging Disables logging for this feature.
Default 8000000 (8 million)
Usage If you change the connection limiting configuration on a virtual port or virtual
server that has active sessions, or in a virtual-port or virtual-server template
bound to the virtual server or virtual port, the current connection counter for
the virtual port or server in show command output and in the GUI may
become incorrect. To avoid this, do not change the connection limiting con-
figuration until the virtual server or port does not have any active connec-
tions.
Example Configure 7 million as the maximum number of connections, with no log-

ging:
ACOS(config)# slb template port default

ACOS(config-rport)# conn-limit 7000000 no-logging
page 164
conn-rate-limit
Description Limits the rate of new connections the ACOS device is allowed to send to
ports that use this template. When a port reaches its connection limit, the
ACOS device stops selecting the port for client requests.
Syntax [no] conn-rate-limit connections [per {100ms | second}] [no-logging]
connections Maximum number of new connections allowed on a port. You can specify 1-1048575
connections.
per {100ms | 1sec} Specifies whether the connection rate limit applies to one-second intervals or 100-ms
intervals. The default is one-second intervals (1sec).
no-logging Disable logging when this feature is enabled.
Default By default this is not set; when enabled, the default sampling rate is per 1sec.
tions.
Example Configure 1 million as the maximum number of new connections per sec-
ond, with no logging:

ACOS(config-rport)# conn-rate-limit 1000000 per second no-logging
del-session-on-server-down
Description This command clears a port protocol session within 2 to 3 seconds if a ses-
sion server is disabled by ACOS command or the server fails an ACOS health
check at the service group level.
If a one or more real servers in a service group fails the health check and this
command is enabled for the session, ACOS clears the session.
page 165
Active sessions, (receiving client-side packets) are cleared within 2 to 3

seconds. Idle sessions may continue to exist for more than a minute after
the command is issued.
Syntax [no] del-session-on-server-down
Default This feature is disabled by default.
Example This example shows how the command is applied:

ACOS(config-rport)# del-session-on-server-down
dest-nat
Description Enables destination Network Address Translation (NAT) on ports that use
this template.
Destination NAT is enabled by default, but is automatically disabled in Direct

Server Return (DSR) configurations. You can re-enable destination NAT on
individual ports for deployment of mixed DSR configurations, which use
backup servers across Layer 3 (in different subnets).
Syntax [no] dest-nat
Default Disabled.
Example Enable destination NAT on ports that use this template:

ACOS(config-rport)# dest-nat
down-grace-period
Description Number of seconds the ACOS device will continue to forward packets to a
port that is down. This option is useful for taking servers down for mainte-
nance without immediately impacting existing sessions on the servers. You
can specify 1-86400 seconds.
NOTE: The service group must contain 2 or more servers for this feature to
work.
This feature supports stateless and stateful load balancing. How-
page 166
ever, the feature is not supported for stateful hash load-balancing

methods, such as source-IP-based or destination-IP-based hashing.
Syntax [no] down-grace-period num
num Number of seconds (1-86400).
Example Set the grace period to 3600 seconds.

ACOS(config-rport)# down-grace-period 3600
dscp
Description Sets the differentiated services code point (DSCP) value in the IP header of a
client request before sending the request to ports that use this template.
Syntax [no] dscp num
num DSCP value (1-63).
Default By default, DSCP is not set by the ACOS device.
Example The following example illustrates how this feature works:
1. Configure a port template named t1 that marks DSCP 4 on outgoing

packets.
slb template port t1

dscp 4
2. Configure a virtual-port template named vp1 that marks DSCP 6 on
outgoing packets.
slb template virtual-port vp1

dscp 6
3. Bind t1 to both port 80 tcp and port 443 tcp.

port 80 tcp
template port t1
page 167
port 443 tcp

template port t1
4. Configure a virtual server named vip2 with virtual port 80 http and
port 443 tcp. Although the vp1 template is bound to both ports, outgo-
ing packets are marked with DSCP 4, because real ports take prece-
dence over virtual ports.
slb virtual-server vip2 fd5a:bfc:563c:bcda::100
port 80 http
source-nat pool s2
service-group sg-80-6
template virtual-port vp1
port 443 https
source-nat pool s2
template server-ssl s1
template client-ssl cl-ssl1
dynamic-member-priority
Description Configure service-group priority settings for ports on dynamically created
servers. When configuring the service group, add the port template to the
member.
Syntax [no] dynamic-member-priority num decrement delta
num Initial TTL for dynamically created service-group members (1-
16).
The default is 16.

delta Amount to decrement the TTL if the IP address is not included
in the DNS reply (0-7).
The default is 0.
Example Set the initial TTL to 12 and decrement value to 1.

ACOS(config-rport)# dynamic-member-priority 12 decrement 1
page 168
extended-stats
Description Enables collection of SLB peak connection statistics for the port.
Default Disabled.

ACOS(config-rport)# extended-stats
health-check
Description Enables health monitoring of ports that use this template.
Syntax [no] health-check name
name Name of a configured health monitor.
Default By default, health checking is disabled.
Usage If you omit this command or you enter it without the monitor-name option,
the default TCP or UDP health monitor is used:
• TCP—Every 30 seconds, the ACOS device sends a connection request
(TCP SYN) to the specified TCP port on the server. The port passes the
health check if the server replies to the ACOS device by sending a TCP
SYN ACK.
• UDP—Every 30 seconds, the ACOS device sends a packet with a valid
UDP header and a garbage payload to the UDP port. The port passes the
health check if the server either does not reply, or replies with any type
of packet except an ICMP Error message.
Example Create health monitor “hm-dad” the enable health monitoring for ports using
this template, using “hm-dad” as the health monitor.
ACOS(config)# health monitor hm-dad

ACOS(config-health:monitor)# disable-after-down
ACOS(config-rport)# health-check hm-dad
page 169
health-check-disable
Description Disable health checking for the port.
Syntax [no] health-check-disable
Default By default, health checking is disabled.
Example Disable health checking:

ACOS(config-rport)# health-check-disable
inband-health-check
Description Supplements the standard Layer 4 health checks by using client-server traf-
fic to check the health of service ports.
Syntax [no] inband-health-check [down-timer seconds] [resel-on-reset]

[retry max-retries] [reassign max-reassigns]
seconds Amount of time in seconds to bring up the server or port that is marked down (0-255).
The default is 0; the server or port is never brought up.

resel-on-reset When receiving a reset from server, also re-select the server and port.

max-retries Each client-server session has its own retry counter. The ACOS device increments a ses-
sion’s retry counter each time a SYN ACK is late. If the retry counter exceeds the config-
ured maximum number of retries allowed, the ACOS device sends the next SYN for the
session to a different server. The ACOS device also resets the retry counter to 0. You can
set the retry counter to 0-7 retries.
The default number of retries is 2.

max-reassigns Each real port has its own reassign counter. Each time the retry counter for any session
is exceeded, the ACOS device increments the reassign counter for the server port. If the
reassign counter exceeds the configured maximum number of reassignments allowed,
the ACOS device marks the port down.
In this case, the port remains down until the next time the port successfully passes a
standard health check. Once the port passes a standard health check, the ACOS device
starts using the port again and resets the reassign counter to 0. You can set the reassign
counter to 0-255 reassignments.
The default is 25 reassignments.
Default Disabled.
page 170
Usage It is recommended that you continue to use standard Layer 4 health moni-
toring even if you enable in-band health monitoring. Without standard health
monitoring, a server port marked down by an in-band health check remains
down.
Example Enable inband health checking.

ACOS(config-rport)# inband-health-check down-timer 5 resel-on-reset
no-ssl
Description Disables SSL for server-side connections. This command is useful if a
server-SSL template is bound to the virtual port that uses this real port, and
you want to disable encryption on this real port.
Using the double-negative form of the command (no no-ssl) enables SSL for
server-side connections..
Syntax [no] no-ssl
Default Encryption is disabled by default, but it is enabled for server-side connec-

tions when the real port is used by a virtual port that is bound to a server-SSL
template.
Example Disable SSL for server-side connections:

ACOS(config-rport)# no-ssl
request-rate-limit
Description Limits the number of new requests that can be received by the port.
page 171
NOTE: This command applies only to configurations that use an external-

service template.
Syntax [no] request-rate-limit num

[per {100ms | second}] [reset] [no-logging]
num Maximum number of new connection requests allowed per the
specified interval (1-1048575).
per Interval for the rate:
• 100ms—Up to num new connection requests are allowed per

one-tenth second (100-ms).
• second—Up to num new connection requests are allowed per

second.
reset Sends a RST to a client that sends a new request during an inter-
val in which the request rate has been exceeded. By default,
requests that are received after the limit is exceeded are dropped
with no RST.
no-logging Disable logging for this feature.
Example Set the request rate limit to 500,000 per 100ms.

ACOS(config-rport)# request-rate-limit 500000 per 100ms
slow-start
Description Provides time for real ports that use the template to ramp-up after TCP/UDP
service is enabled, by temporarily limiting the number of new connections on
the ports.
Syntax [no] slow-start

[from start-conn-limit]
[times scale-factor | add conn-increment | every interval]
[till end-conn-limit]
start-conn-limit Maximum number of concurrent connections to allow on the service port after it
first comes up. You can specify from 1-4095 concurrent connections. The default
is 128.
scale-factor Number by which to multiply the starting connection limit. For example, if the
scale factor is 2 and the starting connection limit is 128, the ACOS device
increases the connection limit to 256 after the first ramp-up interval. The scale
factor can be 2-10. The default is 2.
conn-increment Number of additional concurrent connections to allow. You can specify 1-4095
new connections.
page 172
interval Number of seconds between each increase of the number of concurrent connec-
tions allowed. For example, if the ramp-up interval is 10 seconds, the number of
concurrent connections to allow is increased every 10 seconds. The ramp-up
interval can be 1-60 seconds. The default is 10 seconds.
end-conn-limit Maximum number of concurrent connections to allow during the final ramp-up
interval. After the final ramp-up interval, the slow start is over and does not limit
further connections to the server. You can specify from 1-65535 connections.
The default is 4096.
Example Configure ramp-up for ports; 128 connections to start, increase every 15 sec-
onds, until 4096 connections are reached.

ACOS(config-rport)# slow-start from 128 every 15 till 4096
source-nat
Description Specifies the IP NAT pool to use for assigning source IP addresses to client
traffic sent to ports using this template. When the ACOS device performs
NAT for a port that is bound to the template, the device selects an IP address
from the pool.
Syntax [no] source-nat name
name Name of the configured NAT pool.
Example Use “np1” as the source NAT pool.

ACOS(config-rport)# source-nat np1
stats-data-disable
Description Disables statistical data collection for ports that use this template..
Syntax [no] stats-data-disable
Default Stats collection is enabled by default.
Example Disable statistical data collection:
page 173

ACOS(config-rport)# stats-data-disable
stats-data-enable
Description Enables statistical data collection for ports that use this template..
Syntax [no] stats-data-enable
Default Stats collection is enabled by default.
Example Enable statistical data collection:

ACOS(config-rport)# stats-data-enable
weight
Description Specifies the load-balancing preference for ports that use this template. A
higher weight gives preference to the server and port relative to other servers
and ports.
This option applies only to the service-weighted-least-connection load-

balancing method. This option does not apply to the weighted-least-
connection or weighted-round-robin load-balancing methods.
Syntax [no] weight num
num Weight (1-100).
Default 1
Example Configure 3 as the weight.

ACOS(config-rport)# weight 3
page 174
Config Commands: SLB REQMOD ICAP Templates
This chapter describes the commands and subcommands for configuring SLB REQMOD ICAP tem-
plates.
• SLB REQMOD ICAP Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB REQMOD ICAP tem-
plates:
• slb template reqmod-icap
page 175
slb template reqmod-icap

Description Creates a template that you can apply to ACOS virtual servers to enable ICAP
REQMOD message capability on the virtual server.
Syntax [no] slb template reqmod-icap reqmod-template-name
This command changes the configuration mode to a new sub-level, where

the commands in SLB REQMOD ICAP Template Configuration Mode
Commands are available.
Default ACOS does not have a default SLB REQMOD ICAP template.
Usage See the “Redirection of SSLi Sessions to ICAP Servers” section of the SSL
Insight Configuration Guide for an overview of ICAP and usage guidelines.
Example The following example creates a REQMOD ICAP template with the name
REQMOD_abcd, and then binds it to the HTTP vPort of a wildcard SLB virtual
server.
ACOS(config)# slb server ICAP_server_1 10.1.260.11

ACOS(config-real server-node port)# health-check-disable
ACOS(config)# slb service-group SG_ICAP tcp
ACOS(config-slb svc group)# member ICAP_server_1 1344
ACOS(config-slb svc group-member:1344)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb template reqmod-icap REQMOD_abcd
ACOS(config-reqmod-icap)# service-group SG_ICAP
ACOS(config-reqmod-icap)# service-url icap://abcd.com/reqmod_abcd
ACOS(config-reqmod-icap)# exit
ACOS(config)# slb virtual-server wildcard_VIP 0.0.0.0 acl 100
ACOS(config-slb vserver-vport)# template reqmod-icap REQMOD_abcd
SLB REQMOD ICAP Template Configuration Mode

Commands
The following SLB REQMOD ICAP template commands are available:
page 176
• allowed-http-methods
• fail-close
• include-protocol-in-uri
• min-payload-size
• preview
• service-group
• service-url
• template
To access commands at the SLB REQMOD ICAP template level, enter the slb template reqmod-icap
command.
allowed-http-methods
Description List of allowed HTTP methods.
Syntax [no] allowed-http-methods methods
The allowed methods that can be specified are GET, POST, HEAD, PUT,
OPTIONS, TRACE, DELETE, PURGE, PROPFIND, PROPPATCH, MKCOL,
COPY, MOVE, LOCK, UNLOCK.
Default If no methods are specified, the default is to allow all HTTP methods.
Mode SLB REQMOD ICAP template
Usage See RFC 3507 for further information on methods.
ACOS(config)# slb template reqmod-icap Reqmod_Template

ACOS(config-reqmod-icap)# allowed-http-methods GET

ACOS(config-reqmod-icap)# allowed-http-methods “MKCOL GET”
ACOS(config-reqmod-icap)# show config slb template reqmod-icap Reqmod_Template
!
slb template reqmod-icap Reqmod_Template
allowed-http-methods "MKCOL GET"
!
Example Use the no form of the command to return to the default where all HTTP
methods are allowed. The following example removes the restrictions of the
page 177
previous example that allowed only MKCOL and GET, and returns to the
default where all HTTP methods are allowed::
ACOS(config-reqmod-icap)# no allowed-http-methods “MKCOL GET”

ACOS(config-reqmod-icap)# show config slb template reqmod-icap Reqmod_Template
!
slb template reqmod-icap Reqmod_Template
!
Example If ACOS does not recognize or allow the methods you enter in the command,
you will get the following error message listing the all allowed methods:
ACOS(config-reqmod-icap)# allowed-http-methods ALL

Unsupported HTTP method in list, Supported methods are: GET POST HEAD PUT OPTIONS
TRACE DELETE PURGE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK
fail-close
Description Mark the virtual port down when the template service group is down.
Syntax [no] fail-close

ACOS(config-reqmod-icap)# fail-close
include-protocol-in-uri
Description Include the protocol and port in the HTTP URI sent to the ICAP server.
Syntax [no] include-protocol-in-uri
Usage See RFC 2396 for further information on URIs.

ACOS(config-reqmod-icap)# include-protocol-in-uri
page 178
min-payload-size
Description Set the minimum payload size sent to the ICAP server.
Syntax [no] min-payload-size num
num Set the minimum payload size. You can specify 1-65536.
Default 4096

ACOS(config-reqmod-icap)# min-payload-size 8192
preview
Description Specifies the number of bytes that ACOS forwards to the ICAP server at the
beginning of a transaction.
If you do not configure a preview value, the ACOS device uses the preview
value obtained from the ICAP server.
Syntax [no] preview num
num The number of bytes that ACOS forwards to the ICAP server at
the beginning of a transaction. This number applies only to the
encapsulated body (the HTTP payload).
Default 32768
Usage If you enter the default value of the command or use the no form of the com-
mand to remove the setting (no preview num), ACOS uses the preview value
obtained from the ICAP server. See RFC 3507 for further information.

ACOS(config-reqmod-icap)# preview 8192
page 179
service-group
Description Specify the names of the ICAP service groups.
Syntax [no] service-group service-group-name
service-group-name Name of a configured service-group.

ACOS(config-reqmod-icap)# service-group SSLi_SG1
service-url
Description Specify the URLs of the ICAP servers.
Syntax [no] service-url url
url URL to send to the ICAP servers.

ACOS(config-reqmod-icap)# service-url icap://ExampleURL.com
page 180
template
Description Apply an ACOS template to this ICAP template.
Syntax [no] template type name
type The following templates can be applied:
• logging—apply the specified logging template. See the slb

template logging command for information on configuring
a logging template. Web logging is described in detail in the
“Web Logging for HTTP and RAM Caching” section of the
Application Delivery and Server Load Balancing Guide.
• persist source-ip—apply the specified source IP per-

sistence template.
• server-ssl—apply the specified server-SSL template.

Enables a secure SSL connection to the ICAP server.
• tcp-proxy—apply the specified TCP proxy template.

name Name of the desired template.
Example Apply a logging template:

ACOS(config-reqmod-icap)# template logging SSLi_Logging_Template
page 181
page 182
Config Commands: SLB RESPMOD ICAP Templates
This chapter describes the commands and subcommands for configuring SLB RESPMOD ICAP tem-
plates.
• SLB RESPMOD ICAP Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB RESPMOD ICAP tem-
plates:
• slb template respmod-icap
page 183
slb template respmod-icap

Description Creates a template that you can apply to ACOS virtual servers to enable ICAP
RESPMOD message capability on the virtual server.
Syntax [no] slb template respmod-icap respmod-template-name
This command changes the configuration mode to a new sub-level, where

the commands in SLB RESPMOD ICAP Template Configuration Mode
Commands are available.
Default ACOS does not have a default SLB RESPMOD ICAP template.
Usage See the “Redirection of SSLi Sessions to ICAP Servers” section of the SSL
Insight Configuration Guide for an overview of ICAP and usage guidelines.
Example The following example creates a RESPMOD ICAP template with the name
RESPMOD_abcd, and then binds it to the HTTP vPort of a wildcard SLB vir-
tual server.
ACOS(config)# slb server ICAP_server_1 10.1.260.11

ACOS(config-real server-node port)# health-check-disable
ACOS(config)# slb service-group SG_ICAP tcp
ACOS(config-slb svc group)# member ICAP_server_1 1344
ACOS(config)# slb template respmod-icap RESPMOD_abcd
ACOS(config-reqmod-icap)# service-group SG_ICAP
ACOS(config-reqmod-icap)# service-url icap://abcd.com/respmod_abcd
ACOS(config-reqmod-icap)# exit
ACOS(config)# slb virtual-server wildcard_VIP 0.0.0.0 acl 100
ACOS(config-slb vserver-vport)# template respmod-icap RESPMOD_abcd
page 184
SLB RESPMOD ICAP Template Configuration Mode

Commands
The following SLB RESPMOD ICAP template commands are available:
• fail-close
• include-protocol-in-uri
• min-payload-size
• preview
• service-group
• service-url
• template
To access these commands at the SLB RESPMOD ICAP template level, enter the slb template resp-
mod-icap command.
fail-close
Description Mark the virtual port down when the template service group is down.
Syntax [no] fail-close
Mode SLB RESPMOD ICAP template
ACOS(config)# slb template respmod-icap Respmod_Template

ACOS(config-respmod-icap)# fail-close
page 185
include-protocol-in-uri
Description Include the protocol and port in the HTTP URI sent to the ICAP server.
Syntax [no] include-protocol-in-uri

ACOS(config-respmod-icap)# include-protocol-in-uri
min-payload-size
Description Set the minimum payload size.
Syntax [no] min-payload-size num
num Set the minimum payload size. You can specify 1-65536.
Default 4096

ACOS(config-respmod-icap)# min-payload-size 8192
preview
Description Command to allow the ICAP server to preview to RESPMOD messages.
page 186
If you do not configure a preview value, the ACOS device uses the preview
value obtained from the ICAP server.
Syntax [no] preview num
num The number of bytes the ACOS device forwards to the ICAP
server at the beginning of a transaction. This number applies
only to the encapsulated body (the HTTP payload).
Default 32768

ACOS(config-respmod-icap)# preview 8192
service-group
Description Specify the names of the ICAP service groups.
Syntax [no] service-group service-group-name
service-group-name Name of a configured service-group.

ACOS(config-respmod-icap)# service-group SSLi_SG1
service-url
Description Specify the URLs of the ICAP servers.
Syntax [no] service-url url
url URL to send to the ICAP servers.
page 187

ACOS(config-respmod-icap)# service-url icap://ExampleURL.com
template
Description Apply an ACOS template to this ICAP template.
Syntax [no] template type name
type The following templates can be applied:
• logging—apply the specified logging template. See the slb

template logging command for information on configuring
a logging template. Web logging is described in detail in the
“Web Logging for HTTP and RAM Caching” section of the
• persist source-ip—apply the specified source IP per-

sistence template.
• server-ssl—apply the specified server-SSL template.

Enables a secure SSL connection to the ICAP server.
• tcp-proxy—apply the specified TCP proxy template.

name Name of the desired template.
Example Apply a logging template:

ACOS(config-respmod-icap)# template logging SSLi_Logging_Template
page 188
Config Commands: SLB Server Templates
This chapter describes the commands and subcommands for configuring SLB server templates.
• SLB Server Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB Server templates:
• slb template server
slb template server

Syntax [no] slb template server {default | template-name}
default Edit the default real server template. This template can be
modified in the same way as any custom template-name
you specify.
This command enters the SLB Server Template Configuration Mode

Commands for the specified real server template.
page 189
to make are applicable to all real ports that use the template.
Usage The normal form of this command creates a real server template. The no
form of this command removes the template.
You can bind only one real server template to a real server. However, you can
bind the real server template to multiple real servers.
changed on the individual server.
on the individual server, the setting on the individual server takes prece-
dence.
not set or changed from its default on the individual server, the setting in
the template takes precedence.
Example The following commands configure a real server template called “rs-tmplt1”
and bind the template to two real servers:
ACOS(config)# slb template server rs-tmplt1

ACOS(config-rserver)# health-check ping2
ACOS(config-rserver)# conn-limit 500000
ACOS(config-rserver)# exit
ACOS(config-real server)# template server rs-tmplt1
Example The following commands configure hostname server parameters in a server

port template and a server template:
ACOS(config)# slb template port temp-port

ACOS(config-rport)# dynamic-member-priority 12
ACOS(config-rport)# exit
ACOS(config)# slb template server temp-server
ACOS(config-rserver)# dns-query-interval 5
ACOS(config-rserver)# min-ttl-ratio 3
ACOS(config-rserver)# max-dynamic-server 16
page 190
SLB Server Template Configuration Mode Commands

The following SLB server template commands are available:
• bw-rate-limit
• bw-rate-limit-acct
• conn-limit
• conn-rate-limit
• dns-query-interval
• dynamic-server-prefix
• extended-stats
• health-check
• log-selection-failure
• max-dynamic-server
• min-ttl-ratio
• slow-start
• spoofing-cache
• weight
To access these commands at the SLB server template level, enter the slb template server command.
page 191
bw-rate-limit
Description Configure the bandwidth rate limit for servers that use this template.
Syntax [no] bw-rate-limit l-num resume r-num duration d-num [no-logging]
l-num Bandwidth rate limit number in Kbps (1-16777216).
r-num Resume port selection after bandwidth drops below this thresh-
old, in Kbps (1-16777216).
d-num Time period the rate limit needs to honor to both exceed bw-
rate-limit number and drop below resume number, in seconds
(1-250).
no-logging Do not log bandwidth rate limit related state transitions.
Default Not set
Mode SLB server template
bw-rate-limit-acct
Description Configure the bandwidth rate limit accounting for servers that use this tem-
plate.
Syntax [no] bw-rate-limit-acct TRAFFIC
TRAFFIC Specifies data limited by command. Options include:
• to-server-only – Account for traffic sent to the real server.
• from-server-only – Account for traffic received from the real

server.
• all – Account for all traffic sent to/received from real server
(default).
Default Not set
page 192
conn-limit
Description Maximum number of connections allowed on real servers using this tem-
plate.
Syntax [no] conn-limit max-num [resume resume-num] [no-logging]
max-num Maximum number of concurrent connections (0-8000000).
resume-num Maximum number of connections the server can have before
the ACOS device resumes use of the server (1-1048575).
Default 8000000 (8 million)
tions.
Example Configure 7 million as the maximum number of connections, with no log-

ging:
ACOS(config)# slb template server default

ACOS(config-rserver)# conn-limit 7000000 no-logging
page 193
conn-rate-limit
servers that use this template. When a real server reaches its connection
limit, the ACOS device stops selecting the server for client requests.
Syntax [no] conn-rate-limit connections [per {100ms | 1sec}] [no-logging]
connections Maximum number of new connections allowed on a server.
You can specify 1-1048575 connections.
per Specifies whether the connection rate limit applies to one-
{100ms | 1sec} second intervals or 100-ms intervals. The default is one-sec-
ond intervals (1sec).
Default By default this is not set; when enabled, the default sampling rate is per 1sec.
tions.
Example Configure 1 million as the maximum number of new connections per sec-
ond, with no logging:

ACOS(config-rserver)# conn-rate-limit 1000000 per 1sec no-logging
page 194
dns-query-interval
Description Specifies how often the ACOS device sends DNS queries for the IP
addresses of dynamic real servers.
Syntax [no] dns-query-interval minutes
minutes DNS query interval in minutes (1-1440 minutes, or one day).
Default 10 minutes
Example Configure 30 minutes as the DNS query interval:

dynamic-server-prefix
Description Specifies the prefix added to the front of dynamically created servers.
Syntax [no] dynamic-server-prefix string
string Prefix string (1-3 characters).
Default The default string is “DRS”
Example Configure “MDS” as the server prefix string:

ACOS(config-rserver)# dynamic-server-prefix MDS
extended-stats
Description Enables collection of peak connection statistics for a server.
Default Disabled by default
Example Enable the feature:
page 195

ACOS(config-rserver)# extended-stats
health-check
Description Enables health monitoring of ports that use this template.
Syntax [no] health-check [name]
name Name of a configured health monitor.
Usage If this command is not used, or is used without a specific monitor name, the
default ICMP health monitor is used; a ping is sent every 30 seconds. If the
ping fails 2 times consecutively, the ACOS device sets the server state to
DOWN.
Example Use the health monitor named “hm1”:

ACOS(config-rserver)# health-check hm1
Description Disables health monitoring of servers that use this template.
Example Disable server health monitoring:

ACOS(config-rserver)# health-check-disable
log-selection-failure
Description Enables real-time logging for server-selection failures.
Syntax [no] log-selection-failure
Example Enable the logging of server-selection failures:
page 196

ACOS(config-rserver)# log-selection-failure
max-dynamic-server
Description Maximum number of dynamic real servers that can be created for a given
hostname.
Syntax [no] max-dymanic-server [num]
num Maximum number of servers (1-1023).
Default 255
Example Allow a maximum of 500 dynamic real servers to be created:

ACOS(config-rserver)# max-dynamic-server 500
min-ttl-ratio
Description Minimum initial value for the TTL of dynamic real servers. The ACOS device
multiplies this value by the DNS query interval to calculate the minimum TTL
value to assign to the dynamically created server.
Syntax [no] min-ttl-ratio [num]
num Initial value (1-15).
Default 2
Example Configure a DNS query interval of 30 minutes and minimum initial value of 3;
this will set the TTL of dynamic real servers to 90:

ACOS(config-rserver)# min-ttl-ratio 3
page 197
slow-start
Description Provides time for real ports that use the template to ramp-up after TCP/UDP
service is enabled, by temporarily limiting the number of new connections on
the ports.

[from starting-conn-limit]
[times scale-factor | add conn-incr]
[every interval]
[till ending-conn-limit]
starting-con-limit Maximum number of concurrent connections to allow on the server after it first
comes up. You can specify from 1-4095 concurrent connections.
The default is 128.

scale-factor Number by which to multiply the starting connection limit. For example, if the scale
factor is 2 and the starting connection limit is 128, the ACOS device increases the
connection limit to 256 after the first ramp-up interval. The scale factor can be 2-
10.
The default is 2.
conn-incr As an alternative to specifying a scale factor, you can instead specify how many
more concurrent connections to allow. You can specify 1-4095 new connections.
interval Number of seconds between each increase of the number of concurrent connec-
tions allowed. For example, if the ramp-up interval is 10 seconds, the number of
concurrent connections to allow is increased every 10 seconds. The ramp-up inter-
val can be 1-60 seconds.
The default is 10 seconds.

ending-conn-limit Maximum number of concurrent connections to allow during the final ramp-up
interval. After the final ramp-up interval, the slow start is over and does not limit
further connections to the server. You can specify from 1-65535 connections.
Default Slow-start is disabled by default.
Usage If a normal runtime connection limit is also configured on the server (for
example, by the conn-limit command), and the normal connection limit is
smaller than the slow-start ending connection limit, the ACOS device limits
slow-start connections to the maximum allowed by the normal connection
limit.
Example Enable slow-start using the default values:

ACOS(config-rserver)# slow-start
page 198
spoofing-cache
Description Enables support for a spoofing cache server. A spoofing cache server uses
the client’s IP address instead of its own as the source address when obtain-
ing content requested by the client.
Syntax [no] spoofing-cache
Default Disabled.

ACOS(config-rserver)# spoofing-cache
stats-data-enable
Description Enable statistical data collection for servers that use this template.
Syntax stats-data-enable
Default Statistical data collection is enabled by default.
Example Enable stats data collection:

ACOS(config-rserver)# stats-data-enable
stats-data-disable
Description Disable statistical data collection for servers that use this template.
Syntax stats-data-disable
Default Statistical data collection is enabled by default.
Example Disable stats data collection:

ACOS(config-rserver)# stats-data-disable
page 199
weight
Description Assigns an administrative weight to the server, for weighted load balancing.
num Administrative weight assigned to the server. You can specify 1-
100.
Default 1
Example Assign an administrative weight of 5:

ACOS(config-rserver)# weight 5
page 200
Config Commands: SLB Server SSL Templates
This chapter describes the commands and subcommands for configuring SLB Server SSL templates.
• SLB Server-SSL Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB Server SSL templates:
• slb template server-ssl
page 201
slb template server-ssl

Description Configure the ACOS device to validate real servers based on their certifi-
cates.
Syntax [no] slb template server-ssl template-name
This command enters the SLB Server-SSL Template Configuration Mode for
the specified server-ssl template. See “SLB Server-SSL Template
Configuration Mode Commands” on page 204 for more information.
Default The configuration does not have a default server-side SSL template.
Usage The normal form of this command creates a server-SSL configuration tem-
plate.

You can bind only one server-SSL template to a virtual port. However, you
can bind the same server-SSL template to multiple ports.
Usage Server-SSL Template Binding

ACOS supports use of a server-SSL template with only one instance of a real port. For example, if the same real server:port
member is used in two service groups, it is valid to bind each of those service groups to a different virtual port. However, if
there are server-SSL templates configured for both virtual ports, the server-side SSL behavior is not predictable and is not
supported. It is recommended to duplicate the real server port configuration with different real servers in each group.
In the following example, an ACOS system is configurred with two virtual-servers, SSL_Internet_vip_001 and SSL_In-
ternet_vip_003. And, each of these virtual servers are configured with an HTTP virtual port, port 8080 http.
1. A different SSL-template and a different service group is applied to each virtual port.
• The SSL-template, SSL_Internet_vip_001_server_ssl, and the service group, sg2, are applied to port
8080 http on SSL_Internet_vip_001.
slb virtual-server SSL_Internet_vip_001 0.0.0.0 acl 1

user-tag Security
port 8080 http
service-group sg2
use-rcv-hop-for-resp
template server-ssl SSL_Internet_vip_001_server_ssl
no-dest-nat port-translation
page 202
• The SSL-template, SSL_Internet_vip_003_server_ssl, and the service group, sg1, are applied to port
8080 http on SSL_Internet_vip_003.
slb virtual-server SSL_Internet_vip_003 0.0.0.0 acl 3

user-tag Security
port 8080 http
service-group sg1
template server-ssl SSL_Internet_vip_003_server_ssl
no-dest-nat port-translation
2. The preceding configuration is supported when each service group specifies a different real server. Service group sg1
specifies real server, rs1, and service group, sg2, specifies real server, rs2:
slb server rs1 192.168.1.10

port 80 tcp

port 80 tcp
slb service-group sg1 tcp

member rs1 80
template tcp1

priority-affinity
member rs2 80
3. However, the configuration in step 1 is not supported when both service groups specify the same real server, rs1, as
shown in the following:

port 80 tcp

member rs1 80
template tcp1

priority-affinity
member rs1 80
page 203
SLB Server-SSL Template Configuration Mode Commands

The following SLB server-SSL template commands are available:
• ca-cert
• cert
• cipher
• close-notify
• forward-proxy-enable
• key
• server-certificate-error
• session-cache-size
• session-cache-timeout
• session-ticket-enable
• template cipher
• use-client-sni
• version
To access these commands at the SLB Server-SSL template level, enter the slb template server-ssl
command.
ca-cert
Description Specifies the name of a CA certificate. A server-SSL template can have multi-
ple CA-signed certificates.
You can add the CA certificates to the server-SSL template in either of the
following ways:
• As separate files (one for each certificate)
page 204
• As a single file containing multiple certificates
Syntax [no] ca-cert ca-cert-name [ocsp {ocsp-server-name | service-group

ocsp-service-group-name}]
ca-cert-name Name of the CA certificate (1-255 characters)
ocsp-server-name Name of the OCSP server (1-255 characters)
ocsp-service-group-name Name of the OCSP service-group (1-255 charac-
ters)
Mode SLB server-SSL template
Usage Note: If validation of the ca-cert fails, the connection to the server is termi-
nated.
Example Specify “example.pem” as the name of the certificate:
ACOS(config)# slb template server-ssl sstmp1

ACOS(config-server ssl)# ca-cert example.pem
cert
Description Specifies the name of the certificate to use for terminating or initiating an
SSL connection. The certificate must be installed on the ACOS device.
Syntax [no] cert name
name Name of the certificate (1-255 characters).
Example Specify “example.pem” as the name of the certificate:

ACOS(config-server ssl)# cert example.pem
cipher
Description Specifies the cipher suite to support for certificates from servers.
page 205
You can remove (or re-add) one cipher in the template with a single
command. Enter separate commands for each cipher to remove or re-add.
Syntax [no] cipher name
name Name of the cipher.
The supported cipher are listed athttps://www.a10net-

works.com/support/axseries/appnotes/A10-Thunder-SSL_Ci-
pher_List.pdf or enter cipher ? from the command line.
Example Specify “ SSL3_RSA_RC4_128_SHA ” as the cipher:

ACOS(config-server ssl)# cipher SSL3_RSA_RC4_128_SHA
close-notify
Description Enables support for close notification (close_notify) alerts. When this option
is enabled, the ACOS device sends a close_notify message when an SSL
transaction ends, before sending a FIN. This behavior is required by certain
types of applications, including PHP cgi.The close notification option may
not work if connection reuse is also configured on the same virtual port. In
this case, when the server sends a FIN to the ACOS device, the ACOS device
will not send a FIN followed by a close notification. Instead, the ACOS device
will send a RST.
NOTE: This command can not be used along with the TCP-proxy template
force-delete-timeout option. Doing so may cause unexpected
behavior.
Syntax [no] close-notify

ACOS(config-server ssl)# close-notify
page 206
enable-tls-alert-logging fatal
Description Enables logging of TLS alerts that include the flow information such as
source IP address.
Syntax [no] enable-tls-alert-logging fatal

ACOS(config-server ssl)# enable-tls-alert-logging fatal
forward-proxy-enable
Description Enables SSL Insight support.
Syntax [no] forward-proxy-enable

ACOS(config-server ssl)# forward-proxy-enable
key
Description Specifies the key for the certificate, and the passphrase used to encrypt the
key.
Syntax [no] key name [passphrase string]
name Name of the certificate for the key.
string Passphrase used to encrypt the key.
Example Specify a key name and passphrase:
page 207
ACOS(config-server ssl)# key examplekey passphrase examplephrase
renegotiation-disable
Description Disables TLS/SSL renegotiation.
Syntax [no] renegotiation-disable
Default TLS/SSL secure renegotiation is enabled.
Usage TLS/SSL secure renegotiation is disabled if the renegotiation-disable com-

mand is entered in both the SLB server-SSL and SLB client-SSL templates.
The no renegotiation-disable command entered in both templates re-
enables secure renegotiation.
Usage TLS/SSL secure renegotiation is enabled if the no renegotiation-disable

command is entered in both the SLB server-SSL template and the SLB client-
SSL template.
Example Disable TLS/SSL renegotiation:

ACOS(config-server ssl)# renegotiation-disable
server-certificate-error
Description Specifies the ACOS response if there is a server certificate error.
Syntax [no] server-certificate-error {email | ignore | logging | trap}
email Send an Email.
ignore Ignore the error and allow traffic.
logging Generate a log message.
trap Generate an SNMP trap.
Default Not set; the connection is refused without any notification.
Example Send an SNMP trap when there is a server certificate error:

ACOS(config-server ssl)# server-certificate-error trap
page 208
session-cache-size
Description Sets the maximum number of session-ID entries.
Syntax [no] session-cache-size num
num Number of session-ID entries.
Specify 0 to disable caching.
Example Specify 5000000 entries:

ACOS(config-server ssl)# session-cache-size 5000000
session-cache-timeout
Description Sets the maximum number of seconds a cache entry can remain unused
before being removed from the cache.
Cache entries age according to the ticket age time. The age time is not reset
when a cache entry is used. After a client’s SSL ticket expires, they must
complete an SSL handshake in order to set up the next secure session with
ACOS.
Syntax [no] session-cache-timeout num
num Number of seconds.
Example Specify 5000 seconds as the timeout value:

ACOS(config-server ssl)# session-cache-timeout 5000
page 209
session-ticket-enable
Description Enables stateless SSL session ticketing features.
Syntax [no] session-ticket-enable
Default Feature is not enabled.
Example Enable stateless SSL session ticketing features:

ACOS(config-server ssl)# session-ticket-enable
template cipher
Description Name of a cipher template to bind to the server-SSL template. In this case,
the settings in the cipher template override any cipher settings in the server-
SSL template.
Syntax [no] template cipher name
name Name of the cipher template (1-63 characters).
Default Not set; the ciphers enabled in the server-SSL template are used.
Example Bind the cipher template “cipher-tmp1” to this server-SSL template:

ACOS(config-server ssl)# template cipher cipher-tmp1
use-client-sni
Description Pass the client domain name to the server side of an SSL proxy configura-
tion.
Syntax [no] use-client-sni
Default Client domain name is not passed through to the server-side.
Example The following example shows the server side template in an ACOS SSL proxy
configuration where the client domain name is passed through to the SSL
server:
page 210

ACOS(config-server ssl)# use-client-sni
version
Description Specify the security version.
Syntax [no] version {30 | 31 | 32 | 33}
30 Secure Sockets Layer (SSL) v3.0.
31 Transport Layer Security (TLS) v1.0.
Default 31
Example Use TLS v1.1 security:

ACOS(config-server ssl)# version 32
page 211
page 212
Config Commands: SLB SIP Templates
This chapter describes the commands and subcommands for configuring SLB SIP templates.
• SLB SIP (Over UDP) Template Configuration Mode Commands
• SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
port.

The following SLB template commands are available:
• slb template sip (over UDP)
• slb template sip (over TCP/TLS)
slb template sip (over UDP)

Description Configure separate load balancing of Session Initiation Protocol (SIP) regis-
tration traffic and non-registration traffic for SIP clients.
Syntax [no] slb template sip template-name
This command enters the SLB SIP (Over UDP) Template Configuration Mode
Commands for the specified SIP (over UDP) template.
page 213
Default The configuration does not have a default SIP over UDP template.
Usage The normal form of this command creates a SIP configuration template. The
You can bind only one SIP template to a virtual port. However, you can bind
the same SIP template to multiple ports.
The header-erase and header-insert options apply to both traffic directions,

client-to-server and server-to-client traffic.
Example The following commands configure a SIP template named “Registrar_tem-

plate”:
ACOS(config)# slb template sip Registrar_template

ACOS(config-sip)# registrar service-group Registrar_gp
ACOS(config-sip)# client-request-header insert max-Forwards:15
ACOS(config-sip)# client-request-header erase Contact
slb template sip (over TCP/TLS)

Description Configure separate load balancing of Session Initiation Protocol (SIP) regis-
tration traffic and non-registration traffic for SIP over TCP/TLS.
Syntax [no] slb template sip template-name
This command enters the SLB SIP (Over TCP/TLS) Template Configuration
Mode Commands for the specified SIP (over UDP) template.
Default The configuration does not have a default SIP over TCP/TLS template.
Usage The normal form of this command creates a SIP configuration template. The
You can bind only one SIP template to a virtual port. However, you can bind
the same SIP template to multiple ports.
Example The following commands configure a SIP over TCP/TLS template:
ACOS(config)# slb template sip siptls-tmplt

ACOS(config-sip)# insert-client-ip
ACOS(config-sip)# client-keep-alive
page 214
ACOS(config-sip)# failed-client-selection "480 Temporarily Unavailable"

ACOS(config-sip)# failed-server-selection "504 Server Time-out"
ACOS(config-sip)# exclude-translation header Authentication
SLB SIP (Over UDP) Template Configuration Mode

Commands
The following commands apply to only SIP over UDP, with the exception of timeout, alg-dest-nat, and
alg-source-nat commands, which apply both to SIP over UDP and SIP over TCP/TLS.
• alg-dest-nat
• alg-source-nat
• call-id-persist-disable
• client-request-header erase
• client-request-header insert
• client-response-header erase
• client-response-header insert
• dialog-aware
• exclude-translation
• insert-client-ip
• keep-server-ip-if-match-acl
• registrar service-group
• server-request-header erase
• server-request-header insert
• server-response-header erase
• server-response-header insert
• timeout
To access these commands at the SLB SIP Over UDP template level, enter the slb template sip (over
UDP) command.
page 215
alg-dest-nat
Description Translates the VIP address into the real server IP address in SIP messages,
when destination NAT is used.
Syntax [no] alg-dest-nat
Mode SLB SIP template
ACOS(config)# slb template sip sip-tmp1

ACOS(config-sip)# alg-dest-nat
alg-source-nat
Description Translates source IP address in to the NAT IP address in SIP messages,
when source NAT is used.
ALG support status does not affect IP layer address translation. IP layer
address translation is still performed, if applicable, even when ALG support is
disabled.
Syntax [no] alg-source-nat

ACOS(config-sip)# alg-source-nat
call-id-persist-disable
Description Disables call-ID persistence.
Syntax [no] call-id-persist-disable
Default Call-ID persistence is enabled by default.
Example Disable call-ID persistence.

ACOS(config-sip)# call-id-persist-disable
page 216
client-request-header erase
Description Erases the specified header.
Syntax [no] client-request-header erase string [all]
string Specify the header to erase.
all Erase all instances of the specified header. If not specified, only
the first instance is erased.
Default All instances of the specified header are erased.
Example Erase the first instance of the “Max-Forwards” header:

ACOS(config-sip)# client-request-header erase Max-Forwards
client-request-header insert
Description Inserts the specified header into requests.
Syntax [no] client-request-header insert field:value

[insert-always | insert-if-not-exist]
field:value Header field name and the value to insert.
Use a colon between the header name and the value. To use a blank space
between the header name and the value, use double quotation marks.
Examples:
client-request-header insert Max-Forwards:15
client-request-header insert “Max-Forwards: 15”
insert-always Always inserts the field:value pair. If the request already contains a header with
the same field name, the new field:value pair is added after the existing
insert-if-not-exist Inserts the header only if the request does not already contain a header with the
same field name.
Without either insert-always or insert-if-not-exist option, if a request

already contains one or more headers with the specified field name, the
command replaces the last header.
Example Insert the “Max-Forwards: 15” header:
page 217

ACOS(config-sip)# client-request-header insert “Max-Forwards: 15”
client-response-header erase
Syntax [no] client-response-header erase string [all]

ACOS(config-sip)# client-response-header erase Max-Forwards
client-response-header insert
Description Inserts the specified header into responses.
Syntax [no] client-response-header insert field:value

Examples:
client-response-header insert Max-Forwards:15
client-response-header insert “Max-Forwards: 15”
same field name.
Without either insert-always or insert-if-not-exist option, if a response

page 218

ACOS(config-sip)# client-response-header insert “Max-Forwards: 15”
dialog-aware
Description Enables multiple active client instance support with the same end-user login.
Syntax [no] dialog-aware

ACOS(config-sip)# dialog-aware
exclude-translation
Description Disables translation of the virtual IP address and virtual port in specific por-
tions of SIP messages.
Syntax [no] exclude-translation {body | header string | start-line}
body Does not translate virtual IP addresses and virtual ports in the
body of the message.
string Does not translate virtual IP addresses and virtual ports in the
specified header.
start-line Does not translate virtual IP addresses and virtual ports in the
SIP request line or status line.
Default Not set; the ACOS device does not translate addresses in any header except
the top Via header.
Example Do not translate virtual IP addresses and virtual ports in the message body:

ACOS(config-sip)# exclude-translation body
page 219
insert-client-ip
Description Inserts an “X-Forwarded-For: IP-address:port” header into SIP packets from
the client to the SIP server. The header contains the client IP address and
source protocol port number. The ACOS device uses the header to identify
the client when forwarding a server reply.
Syntax [no] insert-client-ip

keep-server-ip-if-match-acl
Description Disables reverse NAT based on the IP addresses in an extended ACL. This
command is useful in cases where a SIP server needs to reach another
server, and the traffic must pass through the ACOS device.
Syntax [no] keep-server-ip-if-match-acl

ACOS(config-sip)# keep-server-ip-if-match-acl
registrar service-group
Description Specifies the name of a service group of SIP Registrar servers.
Syntax [no] registrar service-group name
name Service group name (1-127 characters).
Example Specify “sip-sg1” as the service group:
page 220
ACOS(config-sip)# registrar service-group sip-sg1
server-request-header erase
Syntax [no] server-request-header erase string [all]

ACOS(config-sip)# server-request-header erase Max-Forwards
page 221
server-request-header insert

Examples:
server-request-header insert Max-Forwards:15
server-request-header insert “Max-Forwards: 15”
same field name.


ACOS(config-sip)# server-request-header insert “Max-Forwards: 15”
server-response-header erase
Syntax [no] server-response-header erase string [all]
page 222

ACOS(config-sip)# server-response-header erase Max-Forwards
server-response-header insert
Syntax [no] server-response-header insert field:value

Examples:
same field name.


ACOS(config-sip)# server-response-header insert “Max-Forwards: 15”
page 223
timeout
Description Specifies the number of minutes a SIP session can remain idle before the
ACOS device terminates the session.
Syntax [no] timeout num
Default 30 minutes
Example Configure the timeout for 5 minutes:

ACOS(config-sip)# timeout 5
SLB SIP (Over TCP/TLS) Template Configuration Mode

Commands
The following commands apply to only SIP over TCP/TLS, with the exception of timeout, alg-dest-nat,
and alg-source-nat commands, which apply both to SIP over UDP and SIP over TCP/TLS.
• alg-dest-nat
• alg-source-nat
• call-id-persist-disable
• client-keepalive
• client-request-header erase
• client-request-header insert
• client-response-header erase
• client-response-header insert
• dialog-aware
• exclude-translation
• failed-client-selection
• failed-server-selection
page 224
• server-keep-alive
• server-request-header erase
• server-request-header insert
• server-response-header erase
• server-response-header insert
• server-selection-per-request
• smp-call-id-rtp-session
• timeout
To access commands at the SLB SIP Over TCP/TLS template level, enter the slb template sip (over
TCP/TLS) command.
alg-dest-nat
Description Enables SIP ALG support for the destination IP address.
Syntax [no] alg-dest-nat

ACOS(config-sip)# alg-dest-nat
alg-source-nat
Description Enables SIP ALG support for the source IP address.
ALG support status does not affect IP layer address translation. IP layer
address translation is still performed, if applicable, even when ALG support is
disabled.
Syntax [no] alg-source-nat
page 225

ACOS(config-sip)# alg-source-nat
call-id-persist-disable
Description Disables call-ID persistence.
Syntax [no] call-id-persist-disable
Default Call-ID persistence is enabled by default.
Example Disable call-ID persistence.

ACOS(config-sip)# call-id-persist-disable
client-keepalive
Description Enables the ACOS device to respond to SIP pings from clients on behalf of
SIP servers. When this option is enabled, the ACOS device responds to a SIP
ping from a client with a “pong”. This option is disabled by default.
If connection reuse is configured, even if client keepalive is disabled, the

ACOS device will respond to a client SIP ping with a pong.
Syntax [no] client-keepalive

ACOS(config-sip)# client-keepalive
page 226
client-request-header erase
Syntax [no] client-request-header erase string [all]

ACOS(config-sip)# client-request-header erase Max-Forwards
client-request-header insert

Examples:
client-request-header insert Max-Forwards:15
client-request-header insert “Max-Forwards: 15”
same field name.

page 227

ACOS(config-sip)# client-request-header insert “Max-Forwards: 15”
client-response-header erase
Syntax [no] client-response-header erase string [all]

ACOS(config-sip)# client-response-header erase Max-Forwards
client-response-header insert
Syntax [no] client-response-header insert field:value

Examples:
same field name.

page 228

ACOS(config-sip)# client-response-header insert “Max-Forwards: 15”
dialog-aware
Description Enables multiple active client instance support with the same end-user login.
Syntax [no] dialog-aware

ACOS(config-sip)# dialog-aware
exclude-translation
Description Disables translation of the virtual IP address and virtual port in specific por-
tions of SIP messages.
Syntax [no] exclude-translation {body | header string | start-line}
body Does not translate virtual IP addresses and virtual ports in the body of the message.
string Does not translate virtual IP addresses and virtual ports in the specified header.
start-line Does not translate virtual IP addresses and virtual ports in the SIP request line or status
line.
Default Not set; the ACOS device does not translate addresses in any header except
the top Via header.
Example Do not translate virtual IP addresses and virtual ports in the message body:

ACOS(config-sip)# exclude-translation body
failed-client-selection
Description Specifies the response when selection of an SIP client fails.
page 229
This option is applicable only if the configuration includes a connection-

reuse template.
Syntax [no] failed-client-selection {string | drop}
string Message string to send to the server; for example:
“480 Temporarily Unavailable”
If the message string contains a space, use double quotation marks around the string.
drop Drop the traffic.
Default Not set; the ACOS device resets the connection when selecting an SIP server
fails
Example Configure a response for failed client selection:

ACOS(config-sip)# failed-client-selection “480 Temporarily Unavailable”
failed-server-selection
Description Specifies the response when selection of an SIP server fails.
Syntax [no] failed-server-selection {string | drop}
string Message string to send to the client; for example:
“504 Server Time-Out”
If the message string contains a space, use double quotation marks around the string.
drop Drop the traffic.
Default Not set; the ACOS device resets the connection when selection of an SIP
server fails
Example Configure a response for failed server selection:

ACOS(config-sip)# failed-server-selection “504 Server Time-Out”
page 230
insert-client-ip
Description Inserts an “X-Forwarded-For: IP-address:port” header into SIP packets from
the client to the SIP server. The header contains the client IP address and
source protocol port number. The ACOS device uses the header to identify
the client when forwarding a server reply.

server-keep-alive
Description For configurations that use a connection-reuse template, this option speci-
fies how often the ACOS device sends a SIP ping on each persistent connec-
tion. The ACOS device silently drops the server’s reply. If the server does not
reply to a SIP ping within the connection-reuse timeout, the ACOS device
closes the persistent connection.
The connection-reuse timeout is configured by the timeout command at the

configuration level for the connection-reuse template. For more information,
see “slb template connection-reuse” on page 60.
Syntax [no] server-keep-alive num
Example Configure the keep-alive for 10 seconds:

ACOS(config-sip)# server-keep-alive 10
page 231
server-request-header erase
Syntax [no] server-request-header erase string [all]
all Erase all instances of the specified header. If not specified, only the first instance is
erased.

ACOS(config-sip)# server-request-header erase Max-Forwards
server-request-header insert

Examples:
server-request-header insert Max-Forwards:15
server-request-header insert “Max-Forwards: 15”
same field name.

page 232

ACOS(config-sip)# server-request-header insert “Max-Forwards: 15”
server-response-header erase
Syntax [no] server-response-header erase string [all]

ACOS(config-sip)# server-response-header erase Max-Forwards
server-response-header insert
Syntax [no] server-response-header insert field:value

Examples:
same field name.

page 233

ACOS(config-sip)# server-response-header insert “Max-Forwards: 15”
server-selection-per-request
Description Forces the ACOS device to perform the server selection process anew for
every SIP request. Without this option, the ACOS device reselects the same
server for subsequent requests (assuming the same server group is used),
unless overridden by other template options. This option applies to SIP-TCP
and SIPS virtual ports. The option is unnecessary for SIP over UDP. Strict
transaction switching is automatically used for SIP over UDP.
Syntax [no] server-selection-per-request

ACOS(config-sip)# server-selection-per-request
smp-call-id-rtp-session
Description Create a cross-CPU call-ID RTP session.
This feature enables your ACOS device to monitor RTP and SIP traffic. This
command creates a cross-CPU RTP session which can be matched by RTP
traffic.
Use this command with rtp-sip-call-id-match to configure this feature.
Syntax [no] smp-call-id-rtp-session
!
slb template sip test
!
!
page 234
slb virtual-server vv 0.0.0.0

port 0 udp
skip-rev-hash
message-switching
force-routing-mode
no-dest-nat
service-group win
rtp-sip-call-id-match
port 5060 sip
message-switching
force-routing-mode
service-group winms
template sip test
!
timeout
Description Specifies the number of minutes a SIP session can remain idle before the
ACOS device terminates the session.
Syntax [no] timeout num
Default 30 minutes
Example Configure the timeout for 5 minutes:

ACOS(config-sip)# timeout 5
page 235
page 236
Config Commands: SLB SMPP Templates
This chapter describes the commands and subcommands for configuring SLB Short Message Peer-to-
Peer (SMPP) templates. The following sections are available in this chapter:
• SLB SMPP Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the virtual port configuration level.

The following global configuration mode command is available to configure SLB SMPP templates:
• slb template smpp
slb template smpp

Description Configure SMPP 3.3 protocol load balancing template.
Syntax [no] slb template smpp template-name
This command enters the SLB SMPP Template Configuration Mode

Commands for the specified SMPP template.
Default The configuration does not have a default SMPP template.
Usage The normal form of this command creates an SMPP template. The no form
page 237
SLB SMPP Template Configuration Mode Commands

The following SLB SMPP template commands are available:
• client-enquire-link
• server-enquire-link
• server-selection-per-request
• user
To access these commands at the SLB SMPP template level, enter the slb template smpp command.
client-enquire-link
Description When enabled, ACOS replies to clients directly with an ENQUIRE_LINK mes-
sage. The ENQUIRE_LINK message prevents the client connection from tim-
ing out and serves the same purpose as a keepalive message.
Syntax [no] client-enquire-link
Mode SLB SMPP template
ACOS(config)# slb template smpp smpp-tmp1

ACOS(config-smpp)# client-enquire-link
server-enquire-link
Description Prevents reusable connections to the SMPP server from aging out. When
this option is enabled, ACOS regularly sends an ENQUIRE_LINK message to
the SMPP server to maintain the client-to-server connection.
Syntax [no] server-enquire-link num
num Number of seconds at which the keepalive message is sent (5-
300).
Default 30 seconds.
Example Set the interval to 15 seconds.
page 238

ACOS(config-smpp)# server-enquire-link 15
server-selection-per-request
Description Forces ACOS to perform server selection process for each SMPP request.
Without this option, ACOS device selects same server for subsequent
requests, assuming same server group is used, unless overridden by other
template options.
This command works only in conjunction with a connection-reuse template.

In addition, this command requires that a username-password pair is
configured in the SMPP template, so that ACOS can immediately
authenticate SMPP clients for every instance of server selection.
Syntax [no] server-selection-per-request
Example Enable this feature and configure a username-password pair.

ACOS(config-smpp)# server-selection-per-request
ACOS(config-smpp)# user exampleuser password examplepassword
user
Description Sets a username and password which the ACOS device uses to authenticate
SMPP clients.
If you configure a user and password, you must configure the same
username-password pair for all SMPP clients and servers. Otherwise, the
ACOS device will never open a TCP connection between the clients and
servers.
Syntax [no] user username password password
username User name to use for SMPP client authentication (1-63 charac-
ters).
password Password to use for SMPP client authentication (1-63 charac-
ters).
Example Create “exampleuser” and “examplepassword”.
page 239

ACOS(config-smpp)# user exampleuser password examplepassword
page 240
Config Commands: SLB SMTP Templates
This chapter describes the commands and subcommands for configuring SLB SMTP templates.
• SLB SMTP Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB SMTP templates:
• slb template smtp
slb template smtp

Description Configure STARTTLS support for Simple Mail Transfer Protocol (SMTP) cli-
ents.
Syntax [no] slb template smtp template-name
This command enters the SLB SMTP Template Configuration Mode

Commands for the specified SMTP template.
page 241
Usage The normal form of this command creates an SMTP template. The no form
You can bind only one SMTP template to a virtual port. However, you can
bind the same SMTP template to multiple ports.
Example The following commands configure an SMTP template named “secure-mail”.

The template enforces use of STARTTLS by mail clients, disables client use
of certain SMTP commands, and directs clients to a service group based on
client domain.
ACOS(config)# slb template smtp secure-mail

ACOS(config-smtp)# starttls enforced
ACOS(config-smtp)# command-disable expn turn vrfy
ACOS(config-smtp)# client-domain-switching contains hq service-group smtp-sg1
ACOS(config-smtp)# client-domain-switching contains northdakota service-group smtp-sg2
Example The following commands configure an SMTP template called “smtp-

domain”. The template uses client domain switching to select a service
group based on the email client’s domain. Clients from any domain that
starts with “smb” are sent to service group “smtp-sg1”. Clients whose
domain name does not start with “smb” and whose domain name contains
“company1” are sent to service group “smtp-sg2”. Clients whose domain
name does not match on the starts-with or contains strings and ends with
“.com” are sent to service group “smtp-sg3”.
ACOS(config)# slb template smtp smtp-domain

ACOS(config-smtp)# client-domain-switching starts-with smb service-group smtp-sg1
ACOS(config-smtp)# client-domain-switching contains company1 service-group smtp-sg2
ACOS(config-smtp)# client-domain-switching ends-with .com service-group smtp-sg3
SLB SMTP Template Configuration Mode Commands

The following SLB SMTP template commands are available:
• client-domain-switching
• command-disable
• server-domain
• service-ready-msg
page 242
• starttls
To access these commands at the SLB SMTP template level, enter the slb template smtp command.
client-domain-switching
Description Selects a service group based on the domain of the client. You can specify
all or part of the client domain name. This command is applicable when you
have multiple SMTP service groups.
Syntax [no] client-domain-switching {starts-with | contains | ends-with}

string service-group name
starts-with Matches only if the client’s domain name starts with string.
contains Matches if the string appears anywhere within the domain
name of the client.
ends-with Matches only if the client’s domain name starts with string.
name Name of the service group to use for matches.
Default Not set; all client domains match, and any service group can be used.
Mode SLB SMTP template
Usage The starts-with, contains, and ends-with options are always applied in the
following order, regardless of the order in which the commands appear in the
configuration. The service group for the first match is used.
• starts-with
• contains
• ends-with
If a template has more than one command with the same option (starts-
with, contains, or ends-with) and a client domain matches on more than one
of them, the most-specific match is always used.
If a contains rule and an ends-with rule match on exactly the same string,
the ends-with rule is used, because it has the more specific match. Here is
an example of a set of client-domain-switching rules in an SMTP template.
The numbers to the right indicate the precedence of the rules when
matching on client domain name “localhost”. In this case, the last rule is the
best match and will be used.
client-domain-switching contains localhost service-group sg-a (4)
client-domain-switching contains local service-group sg-b (5)
client-domain-switching ends-with host service-group sg-c (6)
client-domain-switching ends-with localhost service-group sg-d (3)
page 243
client-domain-switching starts-with local service-group sg-e (2)

client-domain-switching starts-with localhost service-group sg-f (1)
Example This example directs clients to service group “smtp-sg1” if their domain con-
tains the string “hq”:
ACOS(config)# slb template smtp smtp-tmp1

ACOS(config-smtp)# client-domain-switching contains hq service-group smtp-sg1
command-disable
Description Disables support of the specified SMTP commands. If a client tries to issue a
disabled SMTP command, ACOS sends the following message to the client:
502 - Command not implemented
Syntax [no] command-disable {expn | turn | vrfy}
expn Disable SMTP EXPN commands.
turn Disable SMTP TURN commands.
vrfy Disable SMTP VRFY commands.
Default EXPN, TURN, and VRFY are all enabled.
Example Disable SMTP EXPN commands:

ACOS(config-smtp)# command-disable expn
page 244
server-domain
Description Specifies the Email server domain. This is the domain for which the ACOS
device provides SMTP load balancing.
Syntax [no] server-domain name
name Name of the Email server domain (1-31 characters).
Default “mail-server-domain”
Example Set “exampledomain” as the Email server domain.

ACOS(config-smtp)# server-domain exampledomain
service-ready-msg
Description Specifies the text of the SMTP service-ready message sent to clients. The
complete message sent to the client is constructed as follows:
200 - smtp-domain service-ready-string
Syntax [no] service-ready-msg string
string Service-ready message (1-127 characters).
Default “ESMTP mail service ready”
Example Set “Your ESMTP mail service is ready” as the service-ready message.

ACOS(config-smtp)# service-ready-msg “Your ESMTP mail service is ready”
page 245
starttls
Description Specifies whether or not use of STARTTLS by clients is required.
Syntax starttls {client | server} {optional | enforced}
client Configure client-side STARTTLS.
server Configure server-side STARTTLS.
optional Client or server can use STARTTLS but are not required to do
so.
enforced Before any mail transactions are allowed, the client must issue
the STARTTLS command to establish a secured session. If the
client does not issue the STARTTLS command, ACOS sends the
following message to the client:
530 - Must issue a STARTTLS command first
Default Disabled.
Example Make STARTTLS use mandatory for the client.

ACOS(config-smtp)# starttls client enforced
page 246
Config Commands: SLB SSLi Templates
This chapter describes the commands and subcommands for configuring SLB SSLi templates.
• SLB SSLi Template Configuration Mode Commands
port.
page 247

The following global configuration mode command is available to configure SLB SSLi templates:
• slb template ssli
slb template ssli

Description Configures a virtual server template that specifies the accepted protocols
that the virtual server can provide SSLi services. The type sub-commands
specify the accepted protocols running over SSL.
Syntax [no] slb template ssli template-name
This command enters the SLB SSLi Template Configuration Mode for the
specified SSLi template. For additional commands, see “SLB SSLi Template
Configuration Mode Commands” on page 249.
Default SSLi on HTTPS sessions is enabled by default.
Example Create an SLB SSLi template for SMTP:
ACOS(config)# slb template ssli smtp_insight

ACOS(config-ssli)# type smtp
page 248
SLB SSLi Template Configuration Mode Commands

The following SLB SSLi template commands are available:
• type
To access these commands at the SLB SSli template level, enter the slb template ssli command.
type
Description Specifies the service that is intercepted by SSLi.
Syntax [no] type {http | xmpp | smtp | pop}
http HTTP service.
xmpp XMPP service.
smtp SMTP service.
pop POP service.
Default HTTP
Mode SLB SSLi template
Example Create an SLB SSLi template for SMTP:
ACOS(config)# slb template ssli ssli-tmp1

ACOS(config-ssli)# type smpt
page 249
page 250
Config Commands: SLB TCP Templates
This chapter describes the commands and subcommands for configuring SLB TCP templates.
• SLB TCP Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB TCP templates:
• slb template tcp
slb template tcp

Description Create or modify a template for configuring TCP connection settings.
Syntax [no] slb template tcp {default | template-name}
default Edit the default TCP template. This template can be modified
in the same way as any custom template-name you specify.
This command enters the SLB TCP Template Configuration Mode

Commands for the specified TCP template.
page 251
Usage The normal form of this command creates a TCP configuration template.
You can bind only one TCP template to a virtual port. However, you can bind
the same TCP template to multiple ports.
Example The following commands configure a TCP template named “test” that sets
the TCP window size to 1460 bytes, and bind the template to virtual service
port 22 on virtual server vs1:
ACOS(config)# slb template tcp test

ACOS(config-l4 tcp)# initial-window-size 1460
ACOS(config-slb vserver-vport)# template tcp test
Example The following commands configure a TCP template that quickly terminates
half-open sessions while allowing active sessions to continue.
ACOS(config)# slb template tcp halfopen-tcp

ACOS(config-l4 tcp)# force-delete-timeout 3 alive-if-active
ACOS(config-l4 tcp)# reset-fwd
ACOS(config-l4 tcp)# reset-rev
SLB TCP Template Configuration Mode Commands

The following SLB TCP template commands are available:
• force-delete-timeout
• force-delete-timeout-100ms
• half-close-idle-timeout
• half-open-idle-timeout
• idle-timeout
• initial-window-size
page 252
• lan-fast-ack
• qos
• reset-follow-fin
• reset-fwd
• reset-rev
To access these commands at the SLB TCP template level, enter the slb template tcp command.
Description This command clears a TCP session within 2 to 3 seconds if a session
server is disabled by ACOS command or the server fails an ACOS health
Active sessions, (receiving client-side packets) are cleared within 2 to 3

seconds. Idle sessions may continue to exist for more than a minute after
the command is issued.
Mode SLB TCP template
ACOS(config)# slb template tcp tcp-tmp1

ACOS(config-l4 tcp)# del-session-on-server-down
force-delete-timeout
Description Specifies the maximum number of seconds a session can remain active, and
forces deletion of any session still active after the specified number of sec-
onds.
This option is useful for small, fast transactions for which the completion
time of sessions is guaranteed. When used in combination with the reset-
fwd and reset-rev options, the force-delete-timeout option can help clean up
user connections with RSTs instead of allowing the connections to hang.
This command can not be used with the client-SSL or server-SSL template
close-notify option. Doing so may cause unexpected behavior
page 253
Syntax [no] force-delete-timeout num [alive-if-active]
alive-if-active Terminates half-open TCP sessions on the virtual port
while allowing active sessions to continue without being
terminated.
Default Not set.
Example Set the timeout to 10 seconds.

ACOS(config-l4 tcp)# force-delete-timeout 10
force-delete-timeout-100ms
Description Specifies the maximum time (milliseconds) a session can remain active.
Forces deletion of any session still active after the specified number of milli-
seconds.
Syntax [no] force-delete-timeout-100ms num [alive-if-active]
num Number of 100ms units (1-31).
alive-if-active Terminates half-open TCP sessions on virtual port while
allowing active sessions to continue without being termi-
nated.
Default Not set.
Example Set the timeout to 10 100-milliseconds (1 second).

ACOS(config-l4 tcp)# force-delete-timeout-100ms 10
page 254
half-close-idle-timeout
Description Enables aging of half-closed TCP sessions. A half-closed TCP session is a
session in which the server sends a FIN but the client does not reply with an
ACK.
Syntax [no] half-close-idle-timeout num
Default Not set; half-closed TCP sessions are kept open indefinitely.

ACOS(config-l4 tcp)# half-close-idle-timeout 60
half-open-idle-timeout
Description Enables aging of half-open TCP sessions. A half-open TCP session is one in
which the client receives a SYN-ACK, but does not reply with an ACK.
Syntax [no] half-open-idle-timeout num
Default Not set.

ACOS(config-l4 tcp)# half-open-idle-timeout 60
page 255
idle-timeout
Description Specifies the number of minutes that a connection can be idle before the
ACOS device terminates the connection.
Syntax [no] idle-timeout num
num Number of seconds (1-2097151, about 24 days).
• For values less than 31, ACOS uses the entered value.
• For values between 31 and 60, ACOS rounds up to 60 seconds.
• For values greater than 60, ACOS rounds down to the closest multiple of 60 seconds.
Default 120 seconds
Example Set the idle timeout to 60 seconds.

initial-window-size
Description Sets the initial TCP window size in SYN ACK packets to clients. The TCP win-
dow size in a SYN ACK or ACK packet specifies the amount of data that a cli-
ent can send before it needs to receive an ACK.
The initial TCP window size applies only to the SYN ACKs sent to the client.
After the SYN ACK, the ACOS device does not modify the TCP window size
for any other packets in the session.
By default, the ACOS device uses the TCP window size set by the client or
server:
Syntax [no] initial-window-size num
num Window size in bytes (1-65535).
Example Set the initial TCP window size to 256.

ACOS(config-l4 tcp)# initial-window-size 256
page 256
insert-client-ip
Description Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client IP
address, but that do not use HTTP or another protocol such as Financial
Information eXchange (FIX) that can include this information.
For example, insertion of the client IP address into the TCP header can be
useful for financial applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a TCP
option field of type 0x1c, with a length of 7 bytes. For example, the value
placed by ACOS into the TCP header for client 40.40.40.26 is
0x1c07012828281a.
Default Not enabled

ACOS(config-l4 tcp)# insert-client-ip
lan-fast-ack
Description Increases performance of bidirectional peer sessions by acknowledging
receipt of data on behalf of clients and servers.
Syntax [no] lan-fast-ack
Default Not enabled

ACOS(config-l4 tcp)# lan-fast-ack
page 257
qos
Description Marks DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server
SLB traffic.
Syntax [no] qos num
num Values range between 1 to 63. Based on the value you specify, ACOS marks the traffic as fol-
lows:
• Layer 3 marking – ACOS sets Diffserv Control Point (DSCP) value in IP header to specified
value.
• Layer 2 marking – ACOS sets 802.1p value in MAC header to the value you specify, divided by
9.
Example Set the QOS value to 63:

ACOS(config-l4 tcp)# qos 63
reset-follow-fin
Description enables closing a client or server connection with a reset (RST) on the first
FIN received from the client or server.
Syntax [no] reset-follow-fin
Usage This option alleviates the situation where a backend server receives the cli-
ent FIN, ACKs the FIN, enters CLOSE_WAIT but does not close the connec-
tion (no-FIN behavior), which can result in a build-up of CLOSE-WAIT
sessions and the subsequent resource exhaustion on the server.
ACOS(config)# slb template TCP TCP-TEMP

ACOS(config-l4 tcp)# reset-follow-fin
ACOS(config-l4 tcp)#
page 258
reset-fwd
Description Sends a TCP RST to the real server after a session times out.
Syntax [no] reset-fwd

ACOS(config-l4 tcp)# reset-fwd
reset-rev
Description Sends a TCP RST to the client after a session times out.
This command does not send an RST if a server selection failure occurs. To
do this, use the reset-on-server-selection-fail option at the configuration
level for the service group or virtual port.
Syntax [no] reset-rev [STATE]
STATE • disable - Send the TCP RST only when the server is Disabled.
• down - Send the TCP RST only when a server is Down.
• When no option is specified, TCP RST is sent for any error.
Usage If the server is Down, the reset-rev option immediately sends the RST to the
client and does not wait for the session to time out.
When using reset-rev disable with the disable-with-hm command under SLB
server configuration, the server is not treated as “disabled” since persist
sessions continue to use the “disabled” server.
When using reset-rev disable with the slb graceful-shutdown Global

configuration command, state of enabled is also not treated as disabled but
as UP since existing sessions need to be drained and not reset.
page 259

ACOS(config-l4 tcp)# reset-rev
page 260
Config Commands: SLB TCP Proxy Templates
This chapter describes the commands and subcommands for configuring SLB TCP Proxy templates.
• SLB TCP Proxy Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB TCP Proxy templates:
• slb template tcp-proxy
slb template tcp-proxy

Description Configure TCP/IP stack parameters.
Syntax [no] slb template tcp-proxy {default | template-name}
default Edit the default TCP proxy template. This template can be
you specify.
This command enters the SLB TCP Proxy Template Configuration Mode
Commands for the specified TCP-Proxy template.
page 261
Usage The normal form of this command creates a TCP-proxy configuration tem-
plate. The no form of this command removes the template.
You can bind only one TCP-proxy template to a virtual port. However, you
can bind the same TCP-proxy template to multiple ports.
Example The following commands create a TCP-proxy template named “rst” and set
the idle timeout to 3000 seconds: When the idle timeout occurs, the ACOS
device will send an RST to the client. In cases where the server goes down,
the ACOS device will reset the connection.
ACOS(config)# slb template tcp-proxy rst

ACOS(config-tcp proxy)# idle-timeout 3000
ACOS(config-tcp proxy)# reset-rev
ACOS(config-tcp proxy)# server-down-action RST
SLB TCP Proxy Template Configuration Mode Commands

The following SLB TCP proxy template commands are available:
• ack-aggressiveness
• backend-wscale
• dynamic-buffer-allocation
• fin-timeout
• force-delete-timeout
• force-delete-timeout-100ms
• half-close-idle-timeout
• half-open-idle-timeout
• idle-timeout
• init-cwnd
• initial-window-size
page 262
• keepalive-interval
• keepalive-probes
• mss
• nagle
• qos
• receive-buffer
• reno
• reset-fwd
• reset-rev
• retransmit-retries
• syn-retries
• timewait
• transmit-buffer
To access these commands at the SLB TCP proxy template level, enter the slb template tcp-proxy com-
mand.
ack-aggressiveness
Description Specifies the cases in which the ACOS device sends an ACK to the client.
A high ACK aggressiveness helps reduce the delay of interactive client-

server applications, but at a cost of more ACKs.
Syntax [no] ack-aggressiveness {high | medium | low}
high Send ACK for each packet.
medium Delayed ACK, with ACK on each packet with PUSH flag.
low Delayed ACK.
Default low
Mode SLB TCP proxy template
Example Set the ACK aggressiveness level to medium:
ACOS(config)# slb template tcp-proxy default
page 263
ACOS(config-tcp proxy)# ack-aggressiveness medium
backend-wscale
Description Specifies the TCP window scaling factor for backend connections to servers.
The TCP window scaling factor is applicable to virtual ports for which the
ACOS device acts as a TCP proxy.
The TCP window scaling factor is used to calculate the TCP receive window,
which is the maximum amount of data (in bytes) the receiver on a TCP
connection will buffer. The sender is not allowed to send more than this
amount of data before receiving an acknowledgement that the data has
arrived.
Syntax [no] backend-wscale num
num Scaling factor (1-14).
Default 1
Example Set the scaling factor to 3.

ACOS(config-tcp proxy)# backend-wscale 3
Description This command clears a port protocol session within 2 to 3 seconds if a ses-
sion server is disabled by ACOS command or the server fails an ACOS health
Active sessions, (receiving client-side packets) clear within 2 to 3 seconds.

Idle sessions may continue to exist for over a minute after the command is
issued.
page 264

ACOS(config-tcp proxy)# del-session-on-server-down
dynamic-buffer-allocation
Description Optimally adjusts the transmit and receive buffer sizes of TCP-proxy while
maintaining a constant sum of combined values.
Syntax [no] dynamic-buffer-allocation
Default Not enabled
Example Enable the feature.

ACOS(config-tcp proxy)# dynamic-buffer-allocation
fin-timeout
Description Specifies the number of seconds that a connection can be in the FIN-WAIT
or CLOSING state before the ACOS device terminates the connection.
Syntax [no] fin-timeout num
num Timeout in seconds (1-60).
Default 5

ACOS(config-tcp proxy)# fin-timeout 7
force-delete-timeout
Description Specifies maximum number of seconds a session can remain active, and
forces deletion of any session that is still active after the specified number of
seconds.
This option is useful for small, fast transactions for which the completion
time of sessions is guaranteed. When used in combination with the reset-
fwd and reset-rev commands, this option can help clean up user
connections with RSTs instead of allowing the connections to hang.
page 265
Syntax [no] force-delete-timeout num [alive-if-active]
alive-if-active Terminates half-open TCP sessions on the virtual port while allowing active sessions to
continue without being terminated.

ACOS(config-tcp proxy)# force-delete-timeout 10
force-delete-timeout-100ms
Description Specifies the maximum number of milliseconds a session can remain active,
and forces deletion of any session that is still active after the specified num-
ber of milliseconds.
Syntax [no] force-delete-timeout-100ms num [alive-if-active]
num Number of 100ms units (1-31).
alive-if-active Terminates half-open TCP sessions on the virtual port while allowing active sessions to
continue without being terminated.
Example Set the timeout to 10 100-milliseconds (1 second).

ACOS(config-tcp proxy)# force-delete-timeout-100ms 10
page 266
half-close-idle-timeout
Description Enables aging of half-closed TCP sessions. A half-closed TCP session is a
session in which the server sends a FIN but the client does not reply with an
ACK.
Syntax [no] half-close-idle-timeout num

ACOS(config-tcp proxy)# half-close-idle-timeout 60
half-open-idle-timeout
Description Enables aging of half-open TCP sessions. A half-open TCP session is one in
which the client receives a SYN-ACK, but does not reply with an ACK.
Syntax [no] half-open-idle-timeout num

ACOS(config-tcp proxy)# half-open-idle-timeout 60
page 267
idle-timeout
Description Specifies the number of minutes that a connection can be idle before the
Default 600 seconds
Usage See “keepalive-interval” on page 270 for more information about how the idle
timeout and keepalive values are related.
Example Set the idle timeout to 60 seconds.

ACOS(config-tcp proxy)# idle-timeout 60
init-cwnd
Description Specifies the maximum number of unacknowledged packets that can be
sent on a TCP connection. A large initial congestion-control window size
helps reduce HTTP response latency, especially for short web pages.
Syntax [no] init-cwnd num
num Number of unacknowledged packets (1-15).
Default 10
Example Set the initial congestion-window size to 12.

ACOS(config-tcp proxy)# init-cwnd 12
page 268
initial-window-size
Description Sets the initial TCP window size in SYN ACK packets to clients. The TCP win-
dow size in a SYN ACK or ACK packet specifies the amount of data that a cli-
ent can send before it needs to receive an ACK.
The initial TCP window size applies only to the SYN ACKs sent to the client.
After the SYN ACK, the ACOS device does not modify the TCP window size
for any other packets in the session.
By default, the ACOS device uses the TCP window size set by the client or
server:
• If the virtual port is one of the service types that is proxied by the ACOS
device, initial TCP window size applies to SYN ACKs generated by the
ACOS device and sent to clients. By default, the ACOS device uses the
TCP window size in the client’s SYN. The following service types are
proxied by the ACOS device: HTTP, HTTPS, Fast-HTTP, SSL-proxy, and
SMTP.
• If the virtual port is not one of the service types that is proxied by the
ACOS device (for example, the tcp service type), initial TCP window size
applies to SYN ACKs generated by servers and forwarded by the ACOS
device to clients. By default, the ACOS device uses the TCP window size
in the server’s SYN ACK.
If SYN cookies are enabled, either globally or on the virtual service port, the
ACOS device acts as a TCP proxy even though the service type is not
normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the ACOS device
Syntax [no] initial-window-size num
num Window size in bytes (1-65535).
Example Set the initial TCP window size to 256.

ACOS(config-tcp proxy)# initial-window-size 256
insert-client-ip
Description Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client IP
address, but that do not use HTTP or another protocol such as Financial
Information eXchange (FIX) that can include this information.
page 269
For example, insertion of the client IP address into the TCP header can be
useful for financial applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a TCP
option field of type 0x1c, with a length of 7 bytes. For example, the value
placed by ACOS into the TCP header for client 40.40.40.26 is
0x1c07012828281a.
Default Not enabled

ACOS(config-tcp proxy)# insert-client-ip
keepalive-interval
Description Number of seconds a TCP-proxy session can remain idle before the ACOS
device sends a TCP ACK to the devices on both ends of the session.
Syntax [no] keepalive-interval num
num Keepalive interval in seconds (60-12000).
Default Not set
Usage The keepalive feature, which for TCP-proxy templates, periodically verifies
that a TCP-proxy session is still up on both ends of the session. The
keepalive feature uses keepalive interval to establish the number of seconds
a TCP-proxy session can remain idle before the ACOS device sends a TCP
ACK to the devices on both ends of the session, and the keepalive probe
count allows you to set the maximum number of times the ACOS device
sends a keepalive ACK, before deleting the session.
The ACOS device sends the first keepalive ACK if a session remains idle for
the duration of the keepalive interval:
• If both devices respond with an ACK before the next keepalive interval
expires, the ACOS device resets the keepalive time to 0. This starts a
new keepalive interval.
• If either device does not respond with an ACK before the next keepalive
interval expires, the action taken by the ACOS device depends on the
setting of the keepalive probe count.
page 270
• Keepalive probe count set to value greater than 1 – The ACOS device
sends another ACK to each device.
- If both devices respond, the ACOS device resets the keepalive time
to 0, to begin a new keepalive interval.
- If either device does not respond, the ACOS device sends another
ACK to each device. This action can be repeated up to the configured
maximum number of probes (the probe count).
• Keepalive probe count set to 1 – The ACOS device does not send
new probe ACKs. Instead, the ACOS device deletes the session.
Relation of Keepalive to Idle-timeout
The keepalive and idle-timeout options work independently of one another.
By default, the keepalive interval is shorter than the idle timeout. In this case,
keepalive probes are triggered before the idle timeout expires.
• If both devices respond with an ACK before either of the following
occurs, the keepalive interval time and the idle time are both reset to 0.
• Idle timeout expires – If this occurs, the session is deleted, even if the
maximum number of keepalive probes have not been sent.
• Maximum number of keepalive probes are sent, but at least one of
the devices still does not respond – In this case, the session is
deleted even if the idle timeout has not expired.
If you change the keepalive or idle-timeout settings so that the idle timeout is
shorter than the keepalive interval, the keepalive mechanism is never
triggered. The idle timeout always expires first, causing the session to be
deleted. No keepalive probes are ever sent.
Example Set the keepalive interval to 120 seconds.

ACOS(config-tcp proxy)# keepalive-interval 120
page 271
keepalive-probes
Description Maximum number of times the ACOS device sends a keepalive ACK, before
deleting the session.
Syntax [no] keepalive-probes num
num Number of keepalive probes (2-10).
Default Not set
Example Send 5 keepalive ACKs before deleting the session:

ACOS(config-tcp proxy)# keepalive-probes 5
mss
Description Change the minimum supported TCP Maximum Segment Size (MSS).
Syntax [no] mss num
num TCP maximum segment size in octets (128-1460).
Default 1460
Example Set the MSS to 1460:

ACOS(config-tcp proxy)# mss 1460
nagle
Description Enables Nagle congestion compression (described in RFC 896).
Syntax [no] nagle
Default Not enabled
Example Enable the feature:
page 272

ACOS(config-tcp proxy)# nagle
qos
Description Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server
SLB traffic.
Syntax [no] qos num
num You can set a value between 1 to 63. Based on the value
you specify, ACOS marks the traffic as follows:
• Layer 3 marking – ACOS sets the Diffserv Control Point

(DSCP) value in the IP header to value you specify.
• Layer 2 marking – ACOS sets the 802.1p value in the

MAC header to the value you specify, divided by 9.

ACOS(config-tcp proxy)# qos 63
receive-buffer
Description Specifies the maximum number of bytes addressed to the port that the
ACOS device will buffer.
Syntax [no] receive-buffer num
num Number of bytes to buffer (1-2147483647).
Default 204800 (200KB)
Example Set the buffer size to 51200:

ACOS(config-tcp proxy)# receive-buffer 51200
page 273
reno
Description Enables the TCP Reno congestion control algorithm, and disables Cubic.
Syntax [no] reno
Default Not enabled; Cubic is used by default
Example Enable TCP Reno congestion control algorithm:

ACOS(config-tcp proxy)# reno
reset-fwd
Description Sends a TCP RST to the real server after a session times out.
Syntax [no] reset-fwd

ACOS(config-tcp proxy)# reset-fwd
reset-rev
Description Sends a TCP RST to the client after a session times out.
Syntax [no] reset-rev [STATE]
STATE • disable - Send TCP RST only when the server is Dis-
abled.
• down - Send the TCP RST only when a server is Down.
When no option is specified, TCP RST is sent for any error.
Usage If the server is Down, the reset-rev option immediately sends the RST to the
client and does not wait for the session to time out.
When using reset-rev disable with the disable-with-hm command under SLB
server configuration, the server is not treated as “disabled” since persist
sessions continue to use the “disabled” server.
page 274
When using reset-rev disable with the slb graceful-shutdown Global

configuration command, state of enabled is also not treated as disabled but
as UP since existing sessions need to be drained and not reset.

ACOS(config-tcp proxy)# reset-rev
retransmit-retries
Description Specifies the maximum number of times the ACOS device can retransmit a
data segment for which the ACOS device does not receive an ACK.
Syntax [no] retransmit-retries num
num Number of retries (1-20).
Default 5
Example Configure 3 retry attempts:

ACOS(config-tcp proxy)# retransmit-retries 3
syn-retries
Description Specifies the maximum number of times the ACOS device can retransmit a
SYN for which the ACOS device does not receive an ACK.
Syntax [no] syn-retries num
num Number retries (1-20).
Default 5
Example Configure 7 retry attempts:

ACOS(config-tcp proxy)# syn-retries 7
page 275
timewait
Description Specifies the number of seconds that a connection can be in the TIME-WAIT
state before the ACOS device transitions it to the CLOSED state.
Syntax [no] timewait num
Default 5 seconds
Example Set the timewait interval to 7 seconds:

ACOS(config-tcp proxy)# timewait 7
transmit-buffer
Description Specifies the maximum number of bytes sent by the port that the ACOS
device will buffer.
Syntax [no] transmit-buffer num
num Number of bytes to buffer (1-2147483647).
Default 204800 (200KB)
Example Set the buffer size to 51200 bytes:

ACOS(config-tcp proxy)# transmit-buffer 51200
page 276
Config Commands: SLB UDP Templates
This chapter describes the commands and subcommands for configuring SLB UDP templates.
• SLB UDP Template Configuration Mode Commands
port.

The following global configuration mode command is available to configure SLB UDP templates:
• slb template udp
slb template udp

Description Configure UDP connection settings.
Syntax [no] slb template udp {default | template-name}
default Edit the default SLB UDP template. This template can be
you specify.
This command enters the SLB UDP Template Configuration Mode

Commands for the specified UDP template.
page 277
Usage The normal form of this command creates a UDP configuration template.
You can bind only one UDP template to a virtual port. However, you can bind
the same UDP template to multiple ports.
Example The following commands create a UDP template named “udp-quickterm”

and set session termination to occur immediately after a response is
received:
ACOS(config)# slb template udp udp-quickterm

ACOS(config-l4 udp)# aging immediate
SLB UDP Template Configuration Mode Commands

The following SLB UDP template commands are available:
• aging
• idle-timeout
• qos
• re-select-if-server-down
• stateless-conn-timeout
To access these commands at the SLB UDP template level, enter the slb template udp command.
page 278
aging
Description Specifies how quickly sessions are terminated when the request is received.
Syntax [no] aging {immediate | short [seconds]}
immediate • Response Received—Session is terminated within 1 second.
• No Response—Idle timeout value in UDP template is used.

short • Response Received—Session is terminated within 1 second.
• No Response—Session is terminated after configured short

aging period (1-30 seconds).
NOTE: Best Practice is to explicitly set aging in UDP templates used by DNS
virtual ports.
Default Not set by default; the default behavior is:

• Response Received—Behavior depends on the port number:
• Port 53 (default DNS port)—Session terminates within 1 second.
• Any other port number—Session terminates after idle timeout
expires.
• No Response— Idle timeout value in UDP template is used.
Mode SLB UDP template
Example Configure immediate aging:
ACOS(config)# slb template udp udp-tmp1

ACOS(config-l4 udp)# aging immediate
page 279
idle-timeout
Description Specifies the number of seconds a connection can remain idle before the
The maximum idle timeout supported for TFTP virtual ports is 15300
seconds (255 minutes).
Default 120 seconds
Example Set the idle timeout to 300 seconds (5 minutes):

ACOS(config-l4 udp)# idle-timeout 300
qos
Description Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server
SLB traffic.
Syntax [no] qos num
num Sets a value between 1 to 63. Based on the value you specify, ACOS marks the traffic as fol-
lows:
• Layer 3 marking – ACOS sets Diffserv Control Point (DSCP) value in IP header to specified
value.
• Layer 2 marking – ACOS sets 802.1p value in MAC header to the specified value divided
by 9.
page 280
ACOS(config-l4 udp)# qos 54
re-select-if-server-down
Description Configures the ACOS device to select another real server if the server that is
bound to an active connection goes down. Without this option, another
server is not selected.
By default, the device clears all UDP sessions from the server that goes
down.
Syntax [no] re-select-if-server-down [disable-clear-session]
disable-clear-session When this option is enabled, the device does not immediately clear sessions
from a server that goes down.
Example These commands configures the device to select another real server when a
server bound to an active connection goes down and clears all UDP sessions
for the disabled server.

ACOS(config-l4 udp)# re-select-if-server-down
stateless-conn-timeout
Description Set the stateless current connection timeout value in seconds.
Syntax [no] stateless-conn-timeout num
num Stateless connection timeout value in seconds (5-120).
Default 120 seconds
Example Set the stateless connection timeout to 60 seconds.

ACOS(config-l4 udp)# stateless-conn-timeout 60
page 281
page 282
Config Commands: SLB Virtual Port Templates
This chapter describes the commands and subcommands for configuring SLB virtual port templates.
• SLB Virtual Port Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the virtual port configuration level.

The following global configuration mode command is available to configure SLB virtual server tem-
plates:
• slb template virtual-port
slb template virtual-port

Description Configure a template of SLB settings for virtual service ports.
Syntax [no] slb template virtual-port {default | template-name}
default Edit the default virtual port template. This template can be
modified similar to any custom template-name you specify.
This command enters the SLB Virtual Port Template Configuration Mode
Commands for the specified Virtual-Port template.
page 283
Usage The normal form of this command creates a virtual service port template.
You can bind only one virtual service port template to a virtual service port.
However, you can bind the virtual service port template to multiple virtual
service ports.
changed on the individual virtual port.
on the individual virtual port, the setting on the individual virtual port
takes precedence.
• If a parameter is set (or changed from its default) in a template but not
set or changed from its default on the individual virtual port, the tem-
plate setting takes precedence.
Example These commands configure a virtual service port template named “com-
mon-vpsettings”, set the connection limit, and bind the template to a virtual
port:
ACOS(config)# slb template virtual-port common-vpsettings

ACOS(config-vport)# conn-limit 500000
ACOS(config-vport)# exit
ACOS(config-slb vserver-vport)# template virtual-port common-vpsettings
Example The following commands create real servers “s1” at 5.5.5.1 (with a real port
range of 10), real server “s2” at 5.5.5.2 (with a range of 25), and real server
“s3” at 5.5.5.3 (which does not have a range configured and will not be used
for this feature). These real servers are then bound to a service group “sg1”,
which is in turn, bound to a VIP (“vip3”) at 10.10.10.0 /24. A virtual port tem-
plate “vport1” is created, and the allow-vip-to-rport-mapping option is
used, and the template is bound to the “vip3”.

ACOS(config-real server)# port 80 tcp range 10
ACOS(config-real server)# port 80 tcp range 25
page 284

ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# member s1 80
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# allow-vip-to-rport-mapping
ACOS(config)# slb virtual-server vip3 10.10.10.0 /24
ACOS(config-slb vserver-vport)# template virtual-port vport1
ACOS(config-slb vserver-vport)# template virtual-port vport1
SLB Virtual Port Template Configuration Mode

Commands
The following SLB virtual port template commands are available:
• aflow
• allow-syn-otherflags
• allow-vip-to-rport-mapping
• conn-limit
• conn-rate-limit
• drop-unknown-conn
• dscp
page 285
• ignore-tcp-msl
• pkt-rate-limit
• reset-l7-on-failover
• reset-unknown-conn
• snat-msl
• snat-port-preserve
To access these commands at the SLB virtual-port template level, enter slb template virtual-port.
aflow
Description Enables aFlow control. aFlow helps avoid packet drops and retransmissions
when a real server port reaches its configured connection limit. aFlow con-
trol is triggered when either of the following occurs:
• If connection limit is configured on the real server or real port – The
backend real server or real port reaches its configured connection limit.
• If connection limit is not configured on the real server or real port – The
response time of the backend real server or real port increases dramati-
cally. The response time is the time between when the ACOS device for-
wards a request to the server, when the ACOS device receives the first
reply packet from the server.
NOTE: In the current release, it is recommended to use the first method for
triggering aFlow, by configuring connection limits on the real servers
or real ports. The second method of triggering aFlow is still being
refined and is considered to be in Beta status.
When aFlow is enabled, the ACOS device queues HTTP/HTTPS packets from
clients when a server port reaches a configured connection limit, instead of
dropping them. The ACOS device then monitors the port, and begins
forwarding the queued packets when connections become available again.
To prevent flooding of the port, the ACOS device forwards the queued
packets at a steady rate.
aFlow applies only to HTTP and HTTPS virtual ports.
Syntax [no] aflow
Mode SLB virtual-port template
ACOS(config)# slb template virtual-port vport-tmplt1

ACOS(config-vport)# aflow
page 286
allow-syn-otherflags
Description Allows initial SYN packet with other flags.
Syntax [no] allow-syn-otherflags

ACOS(config-vport)# allow-syn-otherflags
allow-vip-to-rport-mapping
Description Enables the VIP to Real Port Mapping feature for a subnet VIP.
The virtual port template containing this option must be bound to the VIP,
and the VIP itself must use a subnet for the last octet (for
example,10.10.10.0 /24), or the feature will not work.
Syntax [no] allow-vip-to-rport-mapping

ACOS(config-vport)# allow-vip-to-rport-mapping
page 287
conn-limit
Description Specifies the maximum number of connections allowed on virtual ports that
use this template.
Syntax [no] conn-limit connections [reset] [no-logging]
connections Maximum number of concurrent connections, 0-8000000.
reset Specify the action to take for connections after the connection
limit is reached on the virtual port. By default, excess connec-
tions are dropped. If you change the action to reset, the con-
nections are reset instead. Excess connections are dropped by
default.
Default Not configured by default.
tions.
Example Configure a connection limit of 10000 connections per second, and disable
logging:

ACOS(config-vserver)# conn-limit 10000 no-logging
page 288
conn-rate-limit
Description Limits the rate of new connections the ACOS device is allowed to send to vir-
tual ports that use this template. When a virtual port reaches its connection
limit, the ACOS device stops selecting the port for client requests.
Syntax [no] conn-rate-limit connections

[per {100ms | 1sec}] [reset] [no-logging]
connections Maximum new connections allowed on a server. You can specify 1-1048575 connec-
tions.
reset Send a reset (RST) to a client after the connection rate has been exceeded. By default
(without this option), the ACOS device silently drops the request.
If you configure a limit for a virtual server and also for an individual port, the ACOS
device uses the lower limit.
bound to the virtual server or virtual port, the connection counter for the vir-
tual port or server in show command output and in the GUI may become
incorrect. To avoid this, do not change the connection limiting configuration
until the virtual server or port does not have any active connections.
Example Configure a connection rate limit of 10000 connections per second, and dis-
able logging:
ACOS(config)# slb template virtual-port vport-tmply1

ACOS(config-vserver)# conn-rate-limit 10000 no-logging
drop-unknown-conn
Description Drop the connection a TCP packet without a SYN or RST flag is received, and
the packet does not belong to any existing connections.
Syntax [no] drop-unknown-conn
page 289

ACOS(config-vport)# drop-unknown-conn
dscp
Description Sets the Differentiated Services Code Point (DSCP) value in client requests
before forwarding them to the server.
Syntax [no] dscp num
num You can set the DSCP value to 1-63.
Example The following example illustrates how this feature works:
1. Configure a port template named t1 that marks DSCP 4 on outgoing

packets.
slb template port t1

dscp 4
2. Configure a virtual-port template named vp1 that marks DSCP 6 on
outgoing packets.
slb template virtual-port vp1

dscp 6
3. Bind t1 to both port 80 tcp and port 443 tcp.

port 80 tcp
template port t1
port 443 tcp
template port t1
4. Configure a virtual server named vip2 with virtual port 80 http and
port 443 tcp. Although the vp1 template is bound to both ports, outgo-
ing packets are marked with DSCP 4, because real ports take prece-
dence over virtual ports.
slb virtual-server vip2 fd5a:bfc:563c:bcda::100

port 80 http
source-nat pool s2
page 290
port 443 https
source-nat pool s2
template server-ssl s1
template client-ssl cl-ssl1
ignore-tcp-msl
Description Immediately reuse TCP sockets after session termination, without waiting
for the SLB Maximum Session Life (MSL) time to expire.
Syntax [no] ignore-tcp-msl

ACOS(config-vport)# ignore-tcp-msl
non-syn-initiation
Description Enables a TCP session to be created when the initial TCP packet is non-SYN.
This feature is useful in VRRP-A topologies where, after a failover, a non-SYN

packet from the existing connection arrives at the new active device and a
session can be created on the new active device without having to configure
haconn- mirror under the virtual port.
Syntax [no] non-syn-initiation
Usage To guarantee the same backend server is selected after failover, use the src-
ip-only method.
This feature is only supported on TCP virtual ports and not supported when:
• source-nat is configured on the virtual port.

• syn-cookie is configured on the virtual port.
• A conn-limit is configured on a real server or real port
page 291
pkt-rate-limit
Description Configure packet rate limit for the virtual port.
Syntax [no] pkt-rate-limit TYPE rate pkt-rate [SAMPLE] [THOLD] [LOG] [RR]
TYPE Specifies the rate limited source. Options include:
• src-ip-port — configure source IP and port rate limit.
• src-port — configure source port limit

pkt-rate Specifies the packet rate (per second). Value range is 1 to 1048575.
SAMPLE Specifies packet rate sampling interval. Options include:
• <no parameter> — packet rate sampling is measured in one second intervals.

• per second — packet rate sampling is measured in one second intervals.
• per 100ms — packet rate sampling is measured in 100 ms intervals

THOLD Specifies a packet rate threshold for sending a TCP reset that terminates sessions
that exceeds the threshold. Options include:
• <no parameter> — threshold is not set and TCP reset is never sent.
• reset rst-rate — TCP reset is sent when packet rate exceeds rst-rate (range is 1
to 1048575). The reset rate should be greater than the packet rate (pkt-rate).
LOG Specifies event logging frequency when packet rate is exceeded. Options include:
• <no parameter> — Log rate is once per minute (default).

• no-logging — log entries are not created when packet rate limit is exceeded.
• no-repeat-logging — event is logged once.

RR Specifies use of round robin distribution to trigger rate limiting. Options include:
• <no parameter> — CPU distribution algorithm not considered.

• when-rr-enable — Packets are rate limited only when CPU round-robin is trig-
gered.
Example These commands configure a template with a packet rate limit such packets
are dropped when the rate from a source port exceeds 500 packets per sec-
ond; a TCP reset is sent to terminate the session when the source’s packet
rate exceeds 1000 packets per second.
ACOS(config)# slb template virtual-port vsettings

ACOS(config-vport)# pkt-rate-limit src-port rate 500 reset 1000
ACOS(config-vport)#
page 292
reset-l7-on-failover
Description Resets a Layer 7 connection upon failover.
Syntax [no] reset-l7-on-failover

ACOS(config-vport)# reset-l7-on-failover
reset-unknown-conn
Description Enables sending TCP Reset (RST) in response to a session mismatch, which
occurs when the ACOS device receives a TCP packet for a TCP session that
is not in the active session table on the ACOS device.
Syntax [no] reset-unknown-conn

ACOS(config-vport)# reset-unknown-conn
snat-msl
Description Set the Maximum Segment Life (MSL) for source-NAT connections. This
option is useful for servers that have older TCP/IP stacks, which wait up to
240 seconds (4 minutes) after a FIN before the endpoint can enter a new
connection.
Syntax [no] snat-msl seconds
seconds You can set the MSL to 1-1800 seconds.
Example Set the source-NAT MSL to 45 seconds.
page 293
ACOS(config-vport)# snat-msl 45
snat-port-preserve
Description Attempts to preserve the client’s source port for traffic destined for the vir-
tual port.
Syntax [no] snat-port-preserve
Usage Note about this feature:

• Port preservation is not always guaranteed and is performed on a best-
effort basis.
• Port preservation does not work for FTP active mode sessions.
• Port preservation works only if source NAT is enabled for the virtual
port.

ACOS(config-vport)# snat-port-preserve
page 294
Config Commands: SLB Virtual Server Templates
This chapter describes the commands and subcommands for configuring SLB virtual server templates.
• Global Configuration Mode Commands
• SLB Virtual Server Template Configuration Mode Commands
port.
Global Configuration Mode Commands

The following global configuration mode command is available to configure SLB virtual server tem-
plates:
• slb template virtual-server
slb template virtual-server

Description Configure a template of SLB settings for virtual servers.
Syntax [no] slb template virtual-server {default | template-name}
default Edit the default virtual server template. This template can be
you specify.
This command enters the SLB Virtual Server Template Configuration Mode
Commands for the specified Virtual-Server template.
page 295
Usage The normal form of this command creates a virtual server template. The no
form of this command removes the template.
You can bind only one virtual server template to a virtual server. However,
you can bind the virtual server template to multiple virtual servers.
changed on the individual virtual server:
on the individual virtual server, the setting on the individual virtual server
takes precedence.
not set or changed from its default on the individual virtual server, the
setting in the template takes precedence.
Example The following commands configure a virtual server template called “vs-
tmplt1” that sets ICMP rate limiting and bind the template to a virtual server:
ACOS(config)# slb template virtual-server vs-tmplt1

ACOS(config-vserver)# icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)# exit
ACOS(config-slb virtual server)# template virtual-server vs-tmplt1
SLB Virtual Server Template Configuration Mode

Commands
The following SLB virtual server template commands are available:
• conn-limit
• conn-rate-limit
• icmp-rate-limit
• icmpv6-rate-limit
• subnet-gratuitous-arp
page 296
To access commands at the SLB virtual-server template level, enter the slb template virtual-server
command.
conn-limit
Description Specifies the maximum number of connections allowed on virtual servers
that use this template.
Syntax [no] conn-limit connections [reset] [no-logging]
connections Maximum number of concurrent connections, 0-8000000.
reset Specify the action to take for connections after the connection limit is reached on the
virtual server. By default, excess connections are dropped. If you change the action to
reset, the connections are reset instead. Excess connections are dropped by default.
Mode SLB virtual-server template
tions.
Example Configure a connection limit of 10000 connections per second, and disable
logging:
ACOS(config)# slb template virtual-server vstempl1

ACOS(config-vserver)# conn-limit 10000 no-logging
page 297
conn-rate-limit
servers that use this template. When a real server reaches its connection
limit, the ACOS device stop selecting the server for client requests.
Syntax [no] conn-rate-limit connections

[per {100ms | 1sec}] [reset] [no-logging]
connections Maximum of new connections allowed on a server. You can specify 1-1048575 con-
nections.
reset Send a reset (RST) to a client after the connection rate has been exceeded. By default
(without this option), the ACOS device silently drops the request.
If you configure a limit for a server and also for an individual port, the ACOS device
uses the lower limit.
tions.
Example Configure a connection rate limit of 10000 connections per second, and dis-
able logging:

ACOS(config-vserver)# conn-rate-limit 10000 no-logging
page 298
icmp-rate-limit
Description Configures ICMP (v4) rate limiting for the virtual server, to protect against
denial-of-service (DoS) attacks.
Syntax [no] icmp-rate-limit normal-rate [lockup max-rate lockup-time]
normal-rate Maximum number of ICMP packets allowed per second. If the
virtual server receives more than the normal rate of ICMP pack-
ets, the excess packets are dropped until the next one-second
interval begins. The normal rate can be 1-65535 packets per
second.
max-rate Maximum number of ICMP packets allowed per second before
the ACOS device locks up ICMP traffic to the virtual server.
When ICMP traffic is locked up, all ICMP packets are dropped
until the lockup expires. The maximum rate can be 1-65535
packets per second. The maximum rate must be larger than the
normal rate.
lockup-time Number of seconds for which the ACOS device drops all ICMP
traffic to the virtual server, after the maximum rate is exceeded.
The lockup time can be 1-16383 seconds.
Default By default, this is not set. When enabled, specifying a maximum rate (lockup
rate) and lockup time is optional. If you do not specify them, lockup does not
occur.
Example Configure ICMP rate limiting to allow 5000 packets per second.

ACOS(config-vserver)# icmp-rate-limit 5000
page 299
icmpv6-rate-limit
Description Configures ICMPv6 rate limiting for the virtual server, to protect against
denial-of-service (DoS) attacks.
Syntax [no] icmpv6-rate-limit normal-rate [lockup max-rate lockup-time]
normal-rate Maximum number of ICMPv6 packets allowed per second. If the virtual server receives
more than the normal rate of ICMP packets, the excess packets are dropped until the
next one-second interval begins. The normal rate can be 1-65535 packets per second.
max-rate Maximum number of ICMPv6 packets allowed per second before the ACOS device
locks up ICMPv6 traffic to the virtual server. When ICMPv6 traffic is locked up, all
ICMPv6 packets are dropped until the lockup expires. The maximum rate can be 1-
65535 packets per second. The maximum rate must be larger than the normal rate.
lockup-time Number of seconds for which the ACOS device drops all ICMPv6 traffic to the virtual
server, after the maximum rate is exceeded. The lockup time can be 1-16383 seconds.
Default By default, this is not set. If you enable it, specifying a maximum rate (lockup
rate) and lockup time is optional. If you do not specify them, lockup does not
occur.
Example Configure ICMPv6 rate limiting to allow 5000 packets per second.

ACOS(config-vserver)# icmpv6-rate-limit 5000
subnet-gratuitous-arp
Description Enables gratuitous ARPs for all VIPs in subnet VIPs. A subnet VIP is a range
of VIPs created from a range of IP addresses within a subnet.
This option applies only to VIPs that are created using a range of subnet IP
addresses. The option has no effect on VIPs created with a single IP
address.
Syntax [no] subnet-gratuitous-arp
Default This is disabled by default; the ACOS device sends gratuitous ARPs for only
the first IP address in a subnet VIP.
Example Send a gratuitous ARPs for every IP in the subnet virtual server.

ACOS(config-vserver)# subnet-gratuitous-arp
page 300
Config Commands: SLB Servers
This chapter describes commands that configure SLB servers. These commands apply to real servers,
not virtual servers, described in “Config Commands: SLB Virtual Servers” on page 339. Commands
available at all levels (clear, debug, do, end, exit, no, show, write) are described in the Command Line
Interface Reference. To display configured servers, use the show slb server command.
• alternate
• clear slb unused-server-ports
• conn-limit
• conn-resume
• disable
• disable-with-health-check
• enable
• extended-stats
• external-ip
• health-check
• ipv6
• port
• slow-start
• spoofing-cache
• template server
• weight
To access this configuration level, enter the slb server server-name command at the global Config
level.
ACOS(config)# slb server s1

page 301
alternate
Description Assign an alternate server as a dedicated backup for a primary server.
Syntax [no] alternate sequence-num server-name
sequence-num Priority of the server as a backup. You can specify 1-16.
server-name Name of the alternate server.
Default Not set
Mode Real server
Usage You can assign up to 16 alternate servers to a primary server. Only 1 alter-
nate server for a given primary server can be active at a time.
This feature places an alternate server into service only if the primary server
goes down. Other features such as connection limiting or connection-rate
limiting can not cause an alternate server to be used. Do not add alternate
servers to the service group.
For more information, see the “Alternate Servers for Server-specific Backup”
chapter in the Application Delivery and Server Load Balancing Guide.
clear slb unused-server-ports

Description Deletes real server ports that are not assigned to at least one service group
by removing the corresponding port statements from slb real server configu-
rations.
The system log displays ports that are deleted by the clear command.
Syntax clear slb unused-server-ports [all-partitions]
The command is available in all partitions. The all-partitions option is only

available in the shared partition and extends the command influence to all
partitions on the device. When the all-partition option is not specified, the
clear port action is effective only within the partition where it is invoked.
Block merge and replace modes do not support the removal of ports through
this clear command. The system log provides a Warning message when the
clear slb unused-server-port command is not successful.
Example The clear slb unused-server-ports command removes a tcp port (78) and
udp port (98) from the s1 real server. The show commands demonstrate the
effect of the clear command.
page 302
ACOS(config)# show running-config slb

!
port 78 tcp
port 88 tcp
port 88 udp
port 98 udp
port 98 tcp
!
member s1 88
member s1 98
!
slb service-group sg2 udp
member s1 88
!
ACOS(config)# clear slb unused-server-ports
ACOS(config)# show running-config slb
!
port 88 tcp
port 88 udp
port 98 tcp
!
member s1 88
member s1 98
!
slb service-group sg2 udp
member s1 88
!
ACOS(config)#
conn-limit
Description Specify maximum number of concurrent connections allowed on a real
server.
Syntax [no] conn-limit max-connections
Replace max-connections with the maximum number of concurrent

connections allowed on the server. You can specify 1-8000000 (eight
million).
page 303
Default 8000000
Mode Real server
Usage If you set a connection limit, it is recommended that you also set the conn-
resume interval. (See “conn-resume” on page 304.)
You also can set the connection limit on individual protocol ports. In this
case, the limit specified for the port overrides the limit set at the server level.
Example The following command sets the connection limit to 10,000:
ACOS(config)# slb server rs123

ACOS(config-real server)# conn-limit 10000
conn-resume
Description Specify the maximum number of connections the server can have before the
ACOS device resumes use of the server. Use does not resume until the num-
ber of connections reaches the configured maximum or less.
Syntax [no] conn-resume connections
Replace connections with the maximum number of connections the server

can have before the ACOS device resumes use of the server. You can specify
1-1000000 (1 million) connections.
Default By default, this option is not set. The ACOS device is allowed to start sending
new connection requests to the server when the number of connections on
the server falls below the connection limit threshold set by conn-limit.
Mode Real server
Usage You also can set the conn-resume value on individual protocol ports. In this
case, the value specified for the port overrides the value set at the server
level.
Example The following command sets the conn-resume option to 500,000 connec-
tions:

ACOS(config-real server)# conn-resume 500000
page 304
disable
Description Disable a real server.
Syntax [no] disable
Default Enabled
Mode Real server
Usage Disabling a real server that is a service-group member generates a log mes-
sage and an SNMP trap.
Example The following commands disable a server named “rs123”:

ACOS(config-real server)# disable
disable-with-health-check
Description Disable a service-group member from normal server selection, but still main-
tain the health of the server.
This feature is ideal if you periodically need to take active servers out of
service pools for maintenance, but this maintenance is done through a
remote client. The feature allows you to access these servers using the
same front-end VIP in the presence of a persistent cookie template or
LB::reselect aFleX command.
Syntax disable-with-health-check
Default This feature is not enabled be default.
Mode Real server
Usage In addition to real server configuration mode, this command is also available
from the following modes:
• Real server port configuration (see “port” on page 308)
• Service -group member (see “member” on page 319)
Using this command to disable a real server with that is a service-group

member generates a log message and an SNMP trap.
Example This example configures health monitor “hm1” to use ICMP transparent
health method and apply the monitor to a TCP port on real server “realserv-
er1”. Disable-with-health-check is enabled at the SLB server configuration
level.
ACOS(config)# health monitor hm1

page 305
ACOS(config)# slb server realserver1 10.1.1.2
ACOS(config-real server)# disable-with-health-check
ACOS(config-real server-node port)# health-check hm1
ACOS(config-slb svc group)# member realserver1 80
ACOS(config-slb svc group-member:80)#
enable
Description Re-enable a real server.
Syntax [no] enable
Default Enabled
Mode Real server
Usage Enabling a real server that is a service-group member generates a log mes-
sage and an SNMP trap.
Example The following commands re-enable a disabled server named “rs123”:

ACOS(config-real server)# enable
extended-stats
Description Enable collection of peak connection statistics for a server.
Default Disabled
Mode Real server
page 306
external-ip
Description Assign an external Network Address Translation (NAT) IP address to the
server. The external IP address allows a server that has an internal IP
address to be reached from outside the internal network.
Syntax [no] external-ip ipaddr
Default None
Mode Real server
Example The following commands configure external IP address 192.168.10.11 on

real server “rs123”:

ACOS(config-real server)# external-ip 192.168.10.11
health-check
Description Enable health monitoring for a server.
Syntax [no] health-check monitor-name
Replace monitor-name with the name of a configured health monitor. If you

omit this command, the default ICMP health monitor is used. (See below.)
Default ICMP ping (echo request), sent every 5 seconds. If ping fails 4 times consec-
utively (first attempt followed by 3 retries), ACOS device sets the server state
to DOWN.
Mode Real server
Usage Entering the command at this level enables Layer 3 health checking. The
monitor you specify must use the ICMP method.
Example The following command sets a server to use the “RUthere” health monitor:

ACOS(config-real server)# health-check RUthere
Description Disable health monitoring of the server.
Default The default Layer 3 health method (ping) is used by default.
page 307
ipv6
Description Assign an IPv6 address to the real server for GSLB.
Syntax [no] ipv6 ipv6addr
Default None
Mode Real server
port
Description Configure a TCP or UDP port on a server.
Syntax [no] port port-num {tcp | udp} [range num]
port-num Protocol port number, 0-65534.
Port number 0 is a wildcard port used for IP protocol load balancing. For
more information, see the “IP Protocol Load Balancing” chapter of the Applica-
tion Delivery and Server Load Balancing Guide.
tcp | udp Protocol type.
When configuring a port for NetFlow, use UDP. TCP is not supported for Net-
Flow.
range num Specifies the range of real ports you want to create within the real server con-
figuration. This value can range from 0-254.
The specified port number is the base number for the range of real ports.
This command changes the CLI to the configuration level for the specified
port, where the following port-related commands are available:
Command Description
[no] alternate sequence-num Configure an alternate port for the primary port. Sequence-num and
server-name port portnum server-name can be 1-16. (For more information, see “Dedicated Backups
for Real Server Ports” in the Application Delivery and Server Load Balancing
Guide.)
[no] authentication-server Binds an authentication-server profile to the port.
profile-name
NOTE: This option applies to Application Access Management (AAM).
[no] conn-limit Specifies the maximum number of concurrent connections allowed on
max-connections the server for this port, 0-8000000 (eight million).
page 308
Command Description
[no] conn-resume Specifies the maximum number of connections the service port can
connections have before the ACOS device resumes use of the port. Use does not
resume until the number of connections reaches the configured maxi-
mum or less. You can specify 1-1000000 (1 million) connections.
By default, this option is not set. The ACOS device is allowed to start
sending new connection requests to the service port as soon as the
number of connections on the port falls back below the connection limit
threshold set by the conn-limit command.
disable Disables the port.
disable-with-health-check Disable member service port, but maintain the server’s health check sta-
tus.
This feature is introduced in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 to
allow you to disable a service-group member’s port from normal server
selection, but still maintain the health of the server.
enable Enables the port.
[no] extended-stats Enables collection of SLB peak connection statistics for the port.
[no] health-check monitor- Enables health monitoring of the port. The monitor-name specifies the
name name of a configured health monitor.
If you omit this command or you enter it without the monitor-name

option, the default TCP or UDP health monitor is used:
• TCP – Every 5 seconds, the ACOS device sends a connection request

(TCP SYN) to the specified TCP port on the server. The port passes
the health check if the server replies to the ACOS device by sending a
TCP SYN ACK.
• UDP – Every 5 seconds, the ACOS device sends a packet with a valid
UDP header and a garbage payload to the UDP port. The port passes
the health check if the server either does not reply, or replies with any
type of packet except an ICMP Error message.
[no] health-check-follow- Specifies another real port upon which to base this port’s health status.
port port-num {tcp | udp} Both the real port and the port to use for the real port’s health status
must be the same type, TCP or UDP. By default, this option is not set.
[no] health-check-disable Disables health monitoring of the port.
[no] no-ssl Disables SSL for server-side connections. This command is useful if a
server-SSL template is bound to the virtual port that uses this real port,
and you want to disable encryption on this real port.
Encryption is disabled by default, but it is enabled for server-side con-

nections when the real port is used by a virtual port that is bound to a
server-SSL template.
Using the double-negative form of the command (no no-ssl) enables

SSL for server-side connections.
page 309
Command Description
[no] service-principal-name Specifies the Kerberos principal name of this server port. This is the
string [...] ACOS client name presented to the application server.
NOTE: This option applies to Application Access Management (AAM).

stats-data-disable | Disable or enable statistical data collection for the port.
stats-data-enable
[no] template port template- The port option binds a port template to the port. The parameter set-
name tings in the template are applied to the port.
The real port template named “default” is bound to real ports by default.
Parameter settings in the default real port template automatically apply
to the port, unless you bind a different real port template to the port.
If a parameter is set individually on this port and also is set in a port tem-
plate bound to this port, the individual setting on this port is used
instead of the setting in the template.
To configure a port template, see “slb template port” on page 96.

[no] template server-ssl The server-ssl option binds a server-side SSL template to the port.
template-name The parameter settings in the template are applied to the port. This is
useful where the real servers load balanced by a VIP have different SSL
settings.
[no] weight number Specifies load-balancing preference for this port, 1-100. Higher weights
give more favor to this server for this port relative to other servers.
Default is 1.
This option applies only to the service-weighted-least-connection

load-balancing method.
Default No ports are configured by default. The defaults for the command options
are described with the options, above. Statistical data collection of load-bal-
ancing resources is enabled by default.
Mode Real server
The no form of this command resets the port’s connection limit, health
monitoring, or weight to its default value. To collect statistical data for a
load-balancing resource, statistical data collection also must be enabled
globally. (See “slb common” on page 20.)
Usage Include the range option for each real server that will be included in the ser-
vice group, but only if you want that real server to be included in the mapping
feature. The service group can be “mixed”. That is, some real servers within a
service group can have the range option set, but it is not mandatory for all
servers in a service group to be configured for “VIP to real port mapping”.
Example The following commands configure server “terap” and add TCP port 69 to
the server. The health-check command is not entered, so by default the
ACOS device will check the service port’s health by sending a connection
request to 69 on terap every 30 seconds.
ACOS(config)# slb server terap 10.2.4.69
page 310

ACOS(config-real server-node port)#
Example The following commands bind the server-SSL template directly to TCP port
80 on the real server at IP 10.8.8.8:

ACOS(config-real server-node port)# template server-ssl server-ssl1
Example The following example configures health monitor “hm1” to use the ICMP
transparent health method, and apply the monitor to a TCP port on real
server “realserver1”. The disable-with-health-check option is enabled at
the SLB server port configuration level.

ACOS(config-real server-node port)# disable-with-health-check
ACOS(config-slb svc group-member:80)#
slow-start
Description Enable slow-start for a server. Slow start allows time for a server to ramp up
after the server is enabled or comes online, by temporarily limiting the num-
ber of new connections on the server.
It is recommended to configure this feature in the real server template or real

port template instead. See the “Behavior When Slow Start Is Also Configured
on the Real Server Itself” section in the “Server and Port Templates” chapter
of the Application Delivery and Server Load Balancing Guide.
Default Disabled
Mode Real server
Usage Slow-start allows a maximum of 128 new connections during the first inter-
val (anywhere between 0 and 10 seconds). During each subsequent 10-sec-
ond interval, the total number of concurrent connections allowed to the
page 311
server is doubled. Thus, during the first 20 seconds, the server is allowed to
have a total of 256 concurrent connections. After 59 seconds, slow-start
ends the ramp-up and no longer limits the number of concurrent connec-
tions.
After the ramp-up period ends, the number of new connections is controlled
by the conn-limit setting. (See “conn-limit” on page 303 and the description
of conn-limit in “port” on page 308.)
Slow-start is also configurable in server and port templates. (See “slb

template server” on page 96 and “slb template port” on page 96.)
Example The following command enables slow-start:

ACOS(config-real server)# slow-start
spoofing-cache
Description Enable support for a spoofing cache server. A spoofing cache server uses
the client’s IP address instead of its own as the source address when obtain-
ing content requested by the client.
Syntax [no] spoofing-cache
Default Disabled
Mode Real server
Usage This command applies to the Transparent Cache Switching (TCS) feature.
For more information about TCS, including additional configuration require-
ments and examples, see the “Transparent Cache Switching” chapter in the
Example The following commands configure a real server for a spoofing cache server:
ACOS(config)# slb server cache-rs 110.110.110.10

ACOS(config-real server)# spoofing-cache
stats-data-disable
Description Disable collection of statistical data for the server.
Default Statistical data collection for load-balancing resources is enabled by default.
Mode Real server
page 312
stats-data-enable
Description Enable collection of statistical data for the server.
Mode Real server
Usage To collect statistical data for a load-balancing resource, statistical data col-
lection also must be enabled globally. (See “slb common” on page 20.)
template server
Description Bind a real server template to the server.
Syntax [no] template server template-name
Default The real server template named “default” is bound to servers by default. The
parameter settings in the default real server template are automatically
applied to the new server, unless you bind a different real server template to
the server.
Mode Real server
Usage If a parameter is set individually on this server and also is set in a server tem-
plate bound to this server, the individual setting on this server is used instead
of the setting in the template.
To configure a real server template, see “slb template server” on page 96.
Example The following commands configure a real server template called “rs-tmplt1”
and bind the template to two real servers:
ACOS(config)# slb template server rs-tmplt1

ACOS(config-rserver)# health-check ping2
ACOS(config-rserver)# conn-limit 500000
page 313
weight
Description Assign an administrative weight to the server, for weighted load balancing.
Replace num with the administrative weight assigned to the server. You can
specify 1-100.
Default 1
Mode Real server
Usage This parameter applies only to the weighted-least-connection,

weighted-rr (weighted round robin), and round-robin-strict load-balanc-
ing methods.
Example The following commands assign a weight of 20 to a server:
ACOS(config)# slb server 10.10.10.5

ACOS(config-real server)# weight 20
page 314
Config Commands: SLB Service Groups
This chapter describes the commands for configuring SLB service groups.
To access this configuration level, enter the slb service-group command at the Global configuration
level.

To display configured service groups, use the slb service-group ? command.
• backup-server-event-log
• extended-stats
• health-check
• member
• method
• min-active-member
• priority
• priority-affinity
• reset auto-switch
• reset-on-server-selection-fail
• sample-rsp-time
• strict-select
• template
• traffic-replication-type
page 315
backup-server-event-log
Description Enable log messages to indicate when a backup service-group member is
placed into service or is removed from service.
Syntax [no] backup-server-event-log
Default Disabled
Mode Service group
A backup member is a member that has a lower priority than primary

(highest priority) members of the same service group. The ACOS device will
not use a lower-priority member (backup server) unless high priority
members (primary servers) exceed their connection limits or connection-rate
limits, or are down.
The backup-server-event-log command generates a log message when a
backup service-group member is placed into service for either of these
reasons:
• The connection limit on the primary servers or member ports is

exceeded.
• The primary servers or member ports go down.
Likewise, the command generates a log message when a backup service-

group member is removed from service, and a primary server is returned to
service for either of the following reasons:
• The primary server or member port’s connection-resume limit is

reached.
• The primary server or member port comes back up.
Generation of log messages for these events is rate-limited to once per

minute. The events described in a message occur at some point within the
60 seconds prior to the log message’s timestamp.
By default, the backup servers are placed into service only when both
primary servers exceed their connection limits or go down. You can use the
min-active-member command to allow secondary servers to be placed into
service even when some primary servers are still available. (See “min-active-
member” on page 329.)
SNMP Trap Requirements
To also generate SNMP notifications, the following SLB traps must be

enabled:
• slb server-conn-limit
• slb server-conn-resume
• slb service-conn-limit
page 316
• slb service-conn-resume
Log Message Examples
A message such as the following is generated when a backup member is

placed into service:
Enabled new connections on server rs-backup1 port 80 in sg1 group
In this example, member rs-backup1 in service group sg1 is placed into

service.
When the backup member is removed from service, a message such as one
of the following is generated:
Disabled new connections on backup server(s) on group sg1, resume
primary server rs1 port 80
Disabled new connections on backup server(s), resume primary server

rs1 port 80
In the first message, the service group name is included. The service group
name is not included in the second message.
• If the primary server is a member of only one service group, or the ser-
vice group can otherwise be determined, the first message is used.
• If the primary server is a member of more than one service group, and
the service group can not be determined, the second message is used.
extended-stats
Description Enable collection of peak connection statistics for a service group.
Default Disabled
Mode Service group
page 317
health-check
Description Use a health monitor to check the health of all members of the service
group.
Syntax [no] health-check monitor-name
Replace monitor-name with the health monitor to use.
Default None
Mode Service group
Usage The health monitor is used to test the health of all members of the service
group, including any members that are added in the future.
Service group health status applies only within the service group context.
Health checks of a port from different service groups can result in different
health status, depending on the resource requested by the health check.
Health checks can be applied to the same resource (real server or port) at
the following levels:
• In a service group that contains the server and port as a member
• In a server or server port configuration template bound to the server or
port
• Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the
following priority:
1. Health check on real server
2. Health check on real server’s port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real
server, real server port, and service group members are marked Down.
However, if a health check on the service group level (3) fails, only that
service group member in that service group is marked Down.
Example These commands configure a health monitor and apply it to a service group:
ACOS(config)# health monitor qrs

ACOS(config-health:monitor)# method http url GET /media-qrs/
index.html
ACOS(config)# slb service-group qrs tcp
ACOS(config-slb svc group)# member media-rs 80
ACOS(config-slb svc group)# health-check qrs
page 318
Description Disable health monitoring of the service group.
Default Health checking is enabled by default.
member
Description Add a server to a service group.
Syntax [no] member server-name portnum
server-name portnum Name of the real server you want to add to the service group. This server must
already exist on the system.
portnum Protocol port number on the server.
This command drops you into a sub-configuration mode, where the

following additional commands are available:
enable Enable the server and port for this service-group only.
disable Disable the server and port for this service-group only.
disable-with-health-check Disable the member server, but maintain the server’s health check status.
This feature is introduced in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 to
allow you to disable a service-group member from normal server selection,
but still maintain the health of the server.
priority num Sets the preference for this server and port, 1-16. The highest priority is 16.
page 319
sampling-enable param Enable baselining. The following parameters are available:
• all - All connections.
• curr_conn - Current connections.
• total_fwd_bytes - Total forward bytes.
• total_fwd_pkts - Total forward packets.
• total_rev_bytes - Total reverse bytes.
• total_rev_pkts - Total reverse packets.
• total_conn - Total connections.
• total_rev_pkts_inspected - Total reverse packets inspected.
• total_rev_pkts_inspected_status_code_2xx - Total reverse packets

inspected (status code 2xx).
• total_rev_pkts_inspected_status_code_non_5xx - Total reverse packets

inspected (status code non 5xx).
• curr_req - Current requests.
• total_req - Total requests.
• total_req_succ - Total requests successful.
• peak_conn - Peak connections.
• response_time - Response time.
• fastest_rsp_time - Fastest response time.
• slowest_rsp_time - Slowest response time.

stats-data-disable Disable statistical data collection for the service-group member.
template template-name Binds a real port template to this member port.
NOTE: The port template option slow-start is not supported if the port
template is applied using this command.
stats-data-disable Disable statistical data collection for the service-group member.
Default There are no servers in a service group by default. When you add a server
and port to the service group, the default state is enabled and the default pri-
ority is 1. Statistical data collection of load-balancing resources is enabled
by default.
page 320
To configure a real port template, see “slb template port” on page 96.
Mode Service group
Usage The normal form of this command adds a configured server to the service
group. The “no” form of this command removes the server from the group.
If you disable or re-enable a port, the state change applies only to this service
group. The state of the port is unchanged in other service groups.
To collect statistical data for a load-balancing resource, statistical data

collection also must be enabled globally. (See “slb common” on page 20.)
Example The following commands add servers “s1” and “s2” to service group
“sgroup1”:
ACOS(config)# slb service-group sgroup1

Example The following command adds a member server and port to a service group
and binds a real port template to the port:

ACOS(config-slb svc group)# member rs1 80
ACOS(config-slb svc group-member:80)# template rptemplate1
Example The following example configures health monitor “hm1” to use the ICMP
transparent health method, and apply the monitor to a TCP port on real
server “realserver1”. Then, the disable-with-health-check option is enabled
at the service group member configuration level.

ACOS(config-slb svc group-member:80)# disable-with-health-check
page 321
method
Description The method command is a service-group configuration mode command
that specifies the load balance method used to determine which server
receives an inbound data flow (session). After a server is selected for a ses-
sion, that server receives packets from the session until the timeout expiry,
defined as the period of time the load balancer does not receive at least one
packet of the session.
The default timeout period is 180 seconds.
A session is defined by its five-tuple: source IP address, source port,

destination IP address, destination port, and protocol. Each selection option
utilizes at least one of the following four data points:
• session packet contents (typically destination IP address and port)
• load balancer configuration parameters (typically weight settings)
• health monitor packets received from member servers
• metrics managed by load balancers (such as number of connections
sent to each server)
Syntax [no] method lb-method
[auto-switch
[
stateless-lb-method
{
conn-rate rate duration
[revert-rate revert-duration]
[grace-period seconds] [log] |
l4-session-usage percent duration
[revert-rate revert-duration]
[grace-period seconds] [log]
]
} ]
page 322
page 323
lb-method Load-balancing method:
• dest-ip-hash – Calculates a hash value based on the destination IP address and proto-
col port of the client’s request.
• dest-ip-only-hash – Calculates a hash value based on only the destination IP address

of the client’s request.
• fastest-response – Selects the server with the fastest first data packet response time
(after three-way handshake) from end-user traffic requests.
The fastest-response method is not applicable in Direct Server Return (DSR) deploy-
ments.
• least-connection [pseudo-round-robin] – Selects the server that currently has the

fewest connections.
For this and the other least-connection methods, if there is a tie, the default behavior is to
select the port (among those tied) that has the lowest number of request bytes plus
response bytes. If there is still a tie, a port is randomly selected from among the ones that
are still tied.
To override this tie-breaker behavior, use the pseudo-round-robin option. This option
selects the server that has not been selected for the longest time.
• odd-even-hash – Hash value is even-odd result of the sum of the source IP address
octets.
• service-least-connection [pseudo-round-robin] – Selects the server port that cur-

rently has the fewest connections.
• weighted-least-connection [pseudo-round-robin] – Selects a server based on a

combination of the server’s administratively assigned weight and the number of connec-
tions on the server. (To assign a weight to a server, see “weight” on page 314.)
• service-weighted-least-connection [pseudo-round-robin] – Same as weighted-

least-connection, but per service. (To assign a weight to a service, see “port” on
page 308. Use the weight option.)
• src-ip-hash – Calculates a hash value based on the source IP address and protocol port
of the client’s request.
• src-ip-only-hash – Calculates a hash value based on only the source IP address of the
client’s request.
• least-request – Selects the real server port for which the ACOS device is currently pro-
cessing the fewest HTTP requests. This method is applicable to HTTP load balancing.
• weighted-rr – Selects servers in rotation, based on the servers’ administratively assigned

weights.
To use this method, you also need to assign weights to the servers. (See “weight” on
page 314.) If the weight value is the same on each server, this load-balancing method sim-
ply selects the servers in rotation.
The weighted-rr method uses only the server weight. Server port weight is not used.
(Instead, server port weight is used by the service-weighted-least-connection
method).
page 324
lb-method Load balancing method (continued):
(cont.)
• round-robin – Selects servers in simple rotation.
• round-robin-strict – Provides a more exact round-robin method. The standard, default

round robin method is optimized for high performance. Over time, this optimization can
result in a slight imbalance in server selection. Server selection is still basically round robin,
but over time some servers may be selected slightly more often than others. An optional
weight can also be assigned. (See “weight” on page 314.)
These methods apply only to stateless SLB. See the “Usage” section for more information.
• stateless-src-ip-hash – Balances server load based on a hash value calculated using

the source IP address and source TCP or UDP port.
• stateless-src-dst-ip-hash – Balances server load based on a hash value calculated

using both the source and destination IP addresses, and the source and destination TCP
or UDP ports.
• stateless-src-dst-ip-only-hash – Balances server load based on a hash value calcu-

lated using only the source and destination IP addresses.
• stateless-dst-ip-hash – Balances server load based on a hash value calculated using

the destination IP address and destination TCP or UDP port.
• stateless-per-pkt-round-robin – Balances server load by sending each packet to a

different server, in rotation. This method is applicable only for UDP DNS traffic.
stateless-src-ip-only-hash – Calculates a hash value based only on the source IP

address of the request, and selects a server based on the hash value. Subsequently, all
requests from the same client address are sent to the same server.
page 325
auto-switch You can configure the following options for this feature.
[options]
The stateless-lb-method option specifies the stateless load-balancing method to use if the
traffic reaches the configured threshold, and can be one of the following:
• stateless-dst-ip-hash
• stateless-per-pkt-round-robin
• stateless-src-dst-ip-hash
• stateless-src-dst-ip-only-hash
• stateless-src-ip-hash
• stateless-src-ip-only-hash
You can specify either of the following sets of thresholds:
• conn-rate rate duration – Rate of new connection requests per second at which the
load balancing method is changed. The rate applies collectively to all servers in the service
group. The threshold can be 1-1000000 connection requests per second.
• l4-session-usage percent duration – Percentage of the system-wide Layer 4 ses-

sion capacity that is currently in use. The threshold can be 1-100 percent.
For each set of thresholds, you can specify the following options:
• revert-rate – (Optional) Rate to revert to stateful method. You can specify

1-1000000 connections per second.
Note: If no revert rate is specified, load balancing will remain stateless. For a switch to
stateful to occur, a revert rate must be specified.
• revert-duration – (Optional) Number of seconds during which the specified revert trig-
ger must continue to occur before the service group changes to stateful load balancing
again. You can specify 1-600 seconds.
• grace-period seconds – (Optional) Number of seconds the ACOS device continues to

use the current load balancing method for active sessions, before changing to the other
load balancing method. You can specify 1-600 seconds.
NOTE: The grace period applies only to sessions that are active when the load balancing
change is triggered. The change applies immediately to new sessions that begin after the
change is triggered.
• log – Logs changes between stateful and stateless load balancing that occur due to this
feature. This is disabled by default.
Default The default method is round-robin.
Mode Service group
Usage The fastest-response method takes effect only if the traffic rate on the serv-
ers is at least 5 connections per second (per server). If the traffic rate is
lower, the first server in the service group usually is selected.
To set a server’s weight, see “weight” on page 314.
page 326
Stateless SLB
Stateless SLB conserves system resources by operating without session

table entries on the ACOS device. The stateless SLB methods are valid for
the following types of traffic:
• Traffic with very short-lived sessions, such as DNS

• Layer 2 Direct Server Return (DSR) traffic
• Other types of traffic that do not require features that use session-table
entries. (See list of limitations below.)
You can enable stateless SLB on an individual service-group basis, by
selecting a stateless SLB load-balancing method for the group.
Limitations
Stateless SLB is not valid for the following features or traffic types:
• Rate limiting
• ACLs
• IP source NAT
• Session synchronization
• Application Layer Gateway (ALG)
• Layer 3 DSR
• SLB-PT
• aFleX
• FWLB ALG
A given real server can be used in only one stateless SLB service group. A
real server that is in a stateless SLB service group cannot be used in any
other stateless service groups.
If the virtual port is on a wildcard VIP, destination NAT must be disabled on
the virtual port. To disable destination NAT, see “no-dest-nat” on page 359.
Graceful transitions between stateful and stateless SLB in a service group

are not supported.
Mega-proxies may interfere with equal balancing of traffic load among the
multiple data CPUs. In this case, for DNS traffic only, try using the stateless-
per-pkt-round-robin method.
NOTE: The stateless-per-pkt-round-robin method is applicable only for

traffic that uses a single packet for a request. Examples include DNS
queries or RADIUS requests without a Challenge-request/Response
message used for EAP.
Example The following example sets the load-balancing method for a service group to
least-connection:
page 327
ACOS(config)# slb service-group sg-lc1 tcp

ACOS(config-slb svc group)# method least-connection
Example The following commands configure a stateless SLB service group for UDP
traffic:
ACOS(config)# slb service-group dns-stateless udp

ACOS(config-slb svc group)# member dns1 53
ACOS(config-slb svc group)# member dns2 53
ACOS(config-slb svc group)# method stateless-src-dst-ip-hash
Example The following commands configure a service group that uses the stateless-
per-pkt-round-robin stateless load-balancing method. This method is used if
the rate of new connection requests to the virtual port bound to the service
group reaches 80,000 connections per second, and remains at least this
high for 300 seconds.
ACOS(config)# slb service-group auto-stateless tcp

ACOS(config-slb svc group)# method weighted-rr auto-switch stateless-per-pkt-round-robin
conn-rate 80000 300 60000 300 grace-period 15 log
To return to using the stateful load-balancing method (weighted round-robin

in this example), the rate of new connection requests to the virtual port must
drop to 60,000 per second, and remain that low for at least 300 seconds.
Once this occurs, the ACOS device waits for and additional 15 seconds (the
grace period) before returning to use of stateful load balancing. Logging is
enabled.
Example In the following configuration, if Layer 4 session usage reaches 2 percent

and stays at least this high for 5 seconds, both service-group members
begin using the stateless-dst-ip-hash method. The ACOS device reverts back
to stateful load balancing when 1 percent or less is reached for 5 seconds.
ACOS(config)# slb service-group sg-auto1 tcp

ACOS(config-slb svc group)# method dst-ip-hash auto-switch stateless-dst-ip-hash l4-ses-
sion-usage 2 5 1 5
ACOS(config-slb svc group-member:80)# member s2 80
ACOS(config)# slb service-group sg-auto tcp
ACOS(config-slb svc group)# method dst-ip-hash auto-switch stateless-dst-ip-hash l4-ses-
sion-usage 2 5 1 5
ACOS(config-slb svc group-member:80)# member s4 80
page 328
min-active-member
Description Use backup servers even if some primary servers are still up.
Syntax [no] min-active-member num [dynamic-priority] [skip-pri-set]
num Minimum number of primary servers that can still be
active (available), before the backup servers are used. You
can specify 1-63. There is no default.
dynamic-priority Dynamically adds lower-priority servers to the active list to
meet the min-active member requirement.
skip-pri-set Specifies whether the remaining primary servers continue
to be used. If you use this option, the ACOS device uses
only the backup servers and stops using any of the pri-
mary servers.
Default By default, the servers with the highest priority value are the primary servers.
All other servers are backups only, and are used only if all the primary servers
are unavailable.
When you use this command, the skip-pri-set option is disabled by default.
Mode Service group
Usage Primary and backup servers are designated based on member priority (set
with the member command). For example, if a service group contains real
servers with the following priority settings, real servers s1, s2, and s3 are the
primary servers. Real servers s4 and s5 are backup servers.
• s1 – priority 16
When the minimum number of active members (primary servers) comes

back up, the ACOS device immediately returns to using only the primary
servers.
Example The following commands add members with different priorities to a service
group, and configure promiscuous VIP to begin using backup servers if any
of the primary servers becomes unavailable:
ACOS(config)# slb service-group sg-prom tcp

ACOS(config-slb svc group)# method least-connection
ACOS(config-slb svc group-member:80)# priority 16
page 329

ACOS(config-slb service group)# min-active-member 1
priority
Description Configure the ACOS device to respond to the failure of service-group mem-
bers of a certain priority by taking a designated action, such as dropping the
request or sending a TCP reset back to the client.
Syntax priority num
[
drop |
drop-if-exceed-limit |
proceed |
reset |
reset-if-exceed-limit
]
num Priority of the port, ranging from 1-16. Higher-priority nodes are preferred over
nodes with lower numbers. There is no default.
drop Drops the request if all nodes with this same priority fail for any reason.
drop-if-exceed-limit Drops the request if all nodes with this same priority fail, and if one or more
nodes exceed the configured connection limit or connection-rate-limit.
proceed The ACOS device uses the node(s) with the next-highest priority if all nodes
with the currently-selected priority fail (this is the default behavior).
reset Sends a reset to the client if all nodes with this same priority fail for any reason.
reset-if-exceed-limit Sends a reset to client if all nodes with this same priority fail and if failure is due
to one or more nodes exceeding configured connection-limit or connection-
rate-limit.
Default By default, the ACOS device will use the node(s) with the next-highest priority
if all nodes with the currently-selected priority fail.
Mode Service group
page 330
Usage Use this feature to define specific actions that should occur when higher-pri-
ority service-group members fail. By default, the ACOS device uses the high-
est priority service-group members until they are no longer available. When
the higher-priority nodes fail, the device fails over to the nodes with the next-
highest priority.
This priority option enables you to tie actions (drop, reset, and others) to a
general failure, such as service group members becoming disabled or failing
a health check. Alternatively, actions can be tied to connection-limits or
connection-rate-limits being exceeded.
Configuring the "priority option" feature allows you to prevent lower-priority
servers, which are presumably less robust than higher-priority servers, from
being overwhelmed by a flood of traffic when a failover occurs.
NOTE: The actions are mutually exclusive. Only one action can be config-
ured for each priority level.
The reset or drop actions can be triggered for the following reasons:
• If a health check fails
• If a user disables a server or port
• If another Load Balancing feature causes the currently-used priority to
become unavailable (for example, min-active-member feature)
• If a connection-limit or connection-rate-limit is exceeded
Example The following commands create the TCP service group “sg1” with several
servers with a priority of 10, and one server with a priority of 5. The com-
mands also assign the reset-if-exceed-limit action for members with pri-
ority 10, and assign the drop action for members with priority 5.

ACOS(config-slb svc group)# priority 10 reset-if-exceed-limit
ACOS(config-slb svc group)# priority 5 drop
page 331
priority-affinity
Description Configure the ACOS device to continue using backup servers (servers with
lower priority) even when the primary (high priority) servers come back up.
Syntax [no] priority-affinity [reset]
The reset option resets the priority affinity feature so that the primary
servers can be used again.
Default Disabled.
By default, the ACOS device uses only the service-group members with the
highest priority. If all the highest-priority servers go down, the ACOS device
starts using the secondary (lower-priority) members. Also by default, when
one or more of the highest-priority servers comes back up, the ACOS device
returns to using only those highest-priority servers and stops using the
backup servers.
Mode Service group
Usage The min-active-member option continues using backup servers in order to

maintain a minimum number of active servers, but does not continue using
only the backup servers after the primary servers come back up.
If the ACOS device stops using primary servers due to other features (such
as exceeding connection limits), priority affinity takes effect just as if the
switchover to the backup servers were triggered by a change in the status of
the primary servers. If those higher-priority servers become available due to
the number of connections dropping below the configured threshold, ACOS
will not use them, but will instead continue using the lower-priority backup
servers.
reset auto-switch
Description Reset load balancing from stateless back to the configured stateful method.
This command applies to configurations using auto-switch, which

automatically switches from the configured stateful load-balancing method
to a stateless load-balancing method, based on a configured threshold.
(“method” on page 322.)
Syntax reset auto-switch
Default N/A
Mode Configuration
Usage This command is operational only and does not affect the configuration. The
command is not saved in the startup-config.
page 332
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Syntax [no] reset-on-server-selection-fail
Default Disabled
Mode Service group
sample-rsp-time
Description View sample server response time information.
Syntax [no] sample-rsp-time [

rpt-ext-server
[report-delay mins | top-fastest | top-slowest]
]
rpt-ext-server Report the top 10 fastest or slowest servers.
report-delay mins Set the reporting frequency in minutes (1-7200).
top-fastest Report the top 10 fastest servers.
top-slowest Report the top 10 slowest servers.
Mode Service group
stats-data-disable
Description Disable collection of statistical data for the service group.
Mode Service group
page 333
stats-data-enable
Description Enable collection of statistical data for the service group.
Mode Service group
strict-select
Description ACOS load balancing methods optimize for high performance, but some-
times this creates an imbalance in server selection, and some servers may
have more open connections than others. For the round-robin method of
load balancing, the imbalances can be corrected when the option of “strict”
is selected to ensure an exact round-robin distribution.
This method is supported for the Weighted Round-Robin, Least Connection,

and Service Least Connection load balancing methods, guaranteeing that
new connections will be sent to the server with the fewest connections, or
fewest service connections. While strict load balancing can be configured
with other load balancing methods, there will be no effect. Strict load
balancing is enabled within a service-group configuration. When strict load
balancing is enabled, lower performance should be expected, especially
when ACOS is running a heavy load of traffic.
Syntax [no] strict-select
Default Disabled.
Mode Service group
Example The following example configures a TCP load balancing service-group

named “strict.” Within the service-group, the example configures least con-
nection load balancing, and then enables strict selection.
ACOS(config)# slb service-group strict tcp

ACOS(config-slb svc group)# method weight-rr
ACOS(config-slb svc group)# strict-select
page 334
template
Description Apply a server or port configuration template to a service group.
Syntax template
{policy template-name | port template-name | server template-name}
policy template-name Name of a policy template.
port template-name Name of a port template.
server template-name Name of a server template.
Default The settings in the server or port template applied to the server or port are
used, unless overridden by settings in the individual server or port configura-
tion.
Mode Service group
page 335
traffic-replication-type
Description Replicate or “mirror” traffic to one or more collector servers in a service
group using one of the traffic replication types.
Syntax traffic-replication-type {
mirror |
mirror-da-repl |
mirror-ip-repl |
mirror-sa-da-repl |
mirror-sa-repl
}
mirror The ACOS device sends the packets “as is” to the collector server(s). Forwarding is
based on the IP address in the original packet. This mode does not change the
packet header at all. The original Layer 2 Destination Address (DA) or Source
Address (SA) and Layer 3 IP addresses are left intact.
mirror-da-repl Mirror Destination MAC Address replacement mode uses Layer 2 forwarding, with
the ACOS device replacing the destination MAC address on the incoming packet
with the destination MAC for each of the collector servers within the designated ser-
vice group.
mirror-ip-repl Mirror IP-replacement mode replaces the incoming packet’s IP address with the IP
address of the collector server(s) and then forwards the duplicated packet to those
servers. This option affects the packet at Layer 4, with minor changes made to the
L4 source and destination ports. This option is recommended for scenarios in which
collector servers are directly connected to the ACOS device.
mirror-sa-da-repl Mirror Source MAC Address and Destination MAC Address replacement mode
replaces both the source and destination MAC addresses at Layer 2 but does not
change the Layer 3 IP addressing information.
mirror-sa-repl Mirror Source MAC Address replacement mode replaces source MAC address on
incoming packets with the MAC address corresponding to virtual server on the
ACOS device.
In general, most of the traffic replication options modify the headers of the
duplicated packets at Layer 2 by changing the MAC address. Only one of the
Traffic Replication modes alters the packets’ IP address.
Default Disabled
Mode Service group
Usage Traffic replication intercepts traffic feeds, such as SNMP or Syslog packets,
copies them to a buffer, and forwards duplicated packets to multiple collec-
tor servers, where data can be used to track users and devices. This is help-
ful for organizations needing Network Monitoring feeds replicated to
multiple destinations.
When configuring the feature, after defining the VIP and setting up the real
collector servers, configure a service group for the collector servers, add the
real collector servers to the service group, and specify the traffic which
replication mode will be used.
page 336
Example The following commands configure a service group for the collector servers
and add the real collector servers to the service group. Then, the commands
specify that the mirror-da-repl traffic replication mode will be used to for-
ward duplicated network monitoring traffic to the collector servers.
ACOS(config)# slb service-group SG-RS tcp

ACOS(config-slb svc group)# member RS1 0
ACOS(config-slb svc group)# member RS2 0
ACOS(config-slb svc group)# traffic-replication-type mirror-da-repl
page 337
page 338
Config Commands: SLB Virtual Servers
This chapter describes the commands for configuring SLB virtual servers. The commands in this chap-
ter apply to virtual servers (also called “VIPs”), not to real servers. To configure real servers, see “Config
Commands: SLB Servers” on page 301.
To access this configuration level, enter the slb virtual-server command at the global Config level.
ACOS(config)# slb virtual-server VIP1 192.168.22.22

ACOS(config-slb vserver)#
To display configured virtual servers, use the show slb virtual-server ? command.
• arp-disable
• description
• disable
• disable-when-all-ports-down
• disable-when-any-port-down
• enable
• extended-stats
• port
• redistribution-flagged
• template logging
• template policy
• template scaleout
• template virtual-server
• vrid
page 339
arp-disable
Description Disable ARP replies from a virtual server.
Syntax [no] arp-disable
Default ARP replies are enabled by default.
Mode Virtual server
Usage Use this command if you do not want the ACOS device to reply to ARP
requests to the virtual server’s IP address. For example, you can use this
command to put a VIP out of service on one ACOS device and use that
device as a switch or router for another ACOS device providing SLB for the
VIP.
When you disable ARP replies for a VIP, redistribution of routes to the VIP is
automatically disabled.
Example The following command disables ARP replies:
ACOS(config-slb vserver)# arp-disable
description
Description Add a description to a VIP.
Syntax description string
Replace string with a description of the VIP (up to 63 characters long). The
string can contain blanks. Quotation marks are not required.
Default None
Mode Virtual server
Introduced in Release 2.7.0
disable
Description Disable a virtual server.
Syntax [no] disable
Default Virtual servers are enabled by default.
Mode Virtual server
page 340
disable-when-all-ports-down
Description Automatically disable the virtual server if all its service ports are down. If
OSPF redistribution of the VIP is enabled, the ACOS device also withdraws
the route to the VIP in addition to disabling the virtual server.
Syntax [no] disable-when-all-ports-down
when-all-ports-down Automatically disables the virtual server if all its service ports are down. If OSPF
redistribution of the VIP is enabled, the ACOS device also withdraws the route to
the VIP in addition to disabling the virtual server.
when-any-port-down Automatically disables the virtual server if any of its service ports is down. If OSPF
redistribution of the VIP is enabled, the ACOS device also withdraws the route to
the VIP in addition to disabling the virtual server.
Default Enabled.
Mode Virtual server
disable-when-any-port-down
Description Automatically disable the virtual server if any of its service ports is down. If
OSPF redistribution of the VIP is enabled, the ACOS device also withdraws
the route to the VIP in addition to disabling the virtual server.
Syntax [no] disable-when-any-port-down
Default Disabled.
Mode Virtual server
enable
Description Enable a virtual server.
Syntax [no] enable
Default Enabled
Mode Virtual server
Example The following commands re-enable virtual server “vs1”:
ACOS(config)# slb virtual-server vs1

ACOS(config-slb vserver)# enable
page 341
extended-stats
Description Enable collection of peak connection statistics for a virtual server.
Default Disabled
Mode Virtual server
page 342
port
Description Configure a virtual port on a virtual server.
Syntax [no] port port-number service-type [range length] [alternate]
port Port number, 0-65534.
service-type Service type of the port:
• diameter – Diameter AAA load balancing
• dns-tcp – DNS service over TCP
• dns-udp – DNS caching
• fast-http – Streamlined Hypertext Transfer Protocol (HTTP) service
• fix – File Information Exchange (FIX) load balancing
• ftp – File Transfer Protocol
• ftp-proxy – FTP proxy service
• http – HTTP
NOTE: HTTP2.0 is not supported in this command. If you enter http or https for the
service-type, only HTTP1.0 and 1.1 is supported.
• https – Secure HTTP (SSL)
• imap - (Internet Message Access Protocol)
• mlb – MLB service over TCP
• mms – Microsoft Media Server
• mssql – Database load balancing for MS-SQL servers
• mysql – Database load balancing for MySQL servers
• others – Wildcard port used for IP protocol load balancing. (For more information, see
the “IP Protocol Load Balancing” chapter of the Application Delivery and Server Load Bal-
ancing Guide.)
• pop3 - (Post Office Protocol 3)
• radius – RADIUS
• reqmod-icap - ICAP
• respmod-icap - ICAP
• rtsp – Real Time Streaming Protocol
page 343
service-type • sip – Session Initiation Protocol (SIP) over UDP
(continued)
• sip-tcp – SIP over TCP
• sips – SIP over TCP / TLS
• smpp-tcp – Short Message Peer-to-Peer (SMPP 3.3) load balancing over TCP
• smtp – Simple Mail Transfer Protocol
• spdy – Google SPeeDy protocol
• spdys – Secure SPDY
• ssl-proxy – SSL proxy service
• ssli – non-HTTP over SSL
• tcp – Layer 4 Transmission Control Protocol (TCP)
• tcp-proxy – Full TCP-stack service for load-balanced Layer 7 applications
• tftp – Trivial File Transfer Protocol
• udp – User Datagram Protocol

range length Assigns a range of ports to the VIP for the specified virtual-service type. The length speci-
fies the number of contiguous ports to add to the base port, 0-254.
alternate Designates this virtual port as an alternate port for another virtual port. An alternate port is
a standby for the primary port. (See “alternate” on page 352.)
Default N/A
Mode Virtual server
Usage The normal form of this command creates a new or edits an existing virtual
port. The CLI changes to the configuration level for the virtual port. (See
“Config Commands: SLB Virtual Server Ports” on page 349.)
The “no” form of this command removes the specified virtual port from
current virtual server.
The maximum number of virtual service ports allowed and the maximum
number per virtual server depend on the ACOS model.
The ACOS device allocates processing resources to HTTPS virtual ports

when you bind them to an SSL template. This results in increased CPU
utilization, regardless of whether traffic is active on the virtual port.
Fast-HTTP
Fast-HTTP is optimized for very high performance information transfer in

comparison to regular HTTP. Due to this optimization, fast-HTTP does not
support all the comprehensive capabilities of HTTP such as header insertion
page 344
and manipulation. It is recommended not to use fast-HTTP for applications

that require complete data transfer integrity.
Packet Processing on HTTP Virtual Ports
Packets reaching a Layer 7 HTT{P virtual port are processed in the following
order of priority:
1. PBSLB (policy template) action drop/reset

2. PBSLB action service-group, in conjunction with PBSLB action.
3. Source-IP persistence template
4. Layer 4 aFleX policy (for example, CLIENT_ACCEPTED event)
5. Cookie persistence template
6. Layer 7 aFleX script (for example, HTTP_REQUEST event)
7. URL switching configured in HTTP template
8. Cookie persistence template with match-type of service-group and
bound to a source-IP persistence template with match-type set to ser-
vice-group.
9. Configured service- group bound to the virtual port
Example The following example creates a new (or edits an existing) virtual port:
ACOS(config-slb vserver)# port 443 https

ACOS(config-slb vserver-vport)#
redistribution-flagged
Description Flag this VIP to selectively enable or disable redistribution of it by OSPF.
Syntax [no] redistribution-flagged
Default Not set. VIP is automatically redistributed if VIP redistribution is enabled in

OSPF.
Mode Virtual server
Usage Use this option if you want to redistribute only some of the VIPs rather than
all of them.
Selective VIP redistribution also requires configuration in OSPF. See the

description of the vip option of the redistribute command in the “Config
Commands: Router - OSPF” chapter in the Network Configuration Guide.
page 345
stats-data-disable
Description Disable collection of statistical data for the virtual server.
Mode Virtual server
stats-data-enable
Description Enable collection of statistical data for the virtual server.
Mode Virtual server
template logging
Description Bind a logging template to the virtual server.
Syntax [no] template logging template-name
Default None
Mode Virtual server
template policy
Description Bind a PBSLB policy template to the virtual server.
Syntax [no] template policy template-name
Default None
Mode Virtual server
Usage This command is applicable only for PBSLB policy templates configured for
IP limiting. (See the Application Access Management and DDoS Mitigation
Guide.)
page 346
template scaleout
Description Bind a Scale Out template to the virtual server.
More information about Scale Out is available in “Configuring Scale Out” in

the System Configuration and Administration Guide.
Syntax [no] template scaleout template-name
Default None
Mode Virtual server
template virtual-server
Description Bind a virtual server template to the virtual server.
Syntax [no] template virtual-server template-name
Default The virtual server template named “default” is bound to virtual servers by
default. The parameter settings in the default virtual server template are
automatically applied to the new virtual server, unless you bind a different
virtual server template to the virtual server.
Mode Virtual server
Usage If a parameter is set individually on this virtual server and also is set in a vir-
tual server template bound to this virtual server, the individual setting on this
virtual server is used instead of the setting in the template.
To configure a virtual server template, see “slb template virtual-server” on

page 97.
Example The following commands configure a virtual server template called “vs-
tmplt1” that sets ICMP rate limiting, and bind the template to a virtual server:
ACOS(config)# slb template virtual-server vs-tmplt1

ACOS(config-vserver)# icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)# exit
ACOS(config-slb vserver)# template virtual-server vs-tmplt1
page 347
vrid
Description Assign the virtual server to a VRRP-A VRID.
Syntax [no] vrid num
Use num to specify the VRID (1-31 in the shared partition, or 1-7 in an L3V
partition).
Default The default VRID, if none is assigned, is 0.
Mode Virtual server configuration mode
page 348
Config Commands: SLB Virtual Server Ports
This chapter describes the commands for configuring virtual ports.
To access this configuration level, enter the port command at the configuration level for a virtual
server.
ACOS(config)# slb virtual-server VIP1 192.168.22.22

ACOS(config-slb vserver-vport)#
• aaa-policy
• access-list
• aflex
• alternate
• bucket-count
• clientip-sticky-nat
• conn-limit
• def-selection-if-pref-failed
• def-selection-if-pref-failed-disable
• disable
• enable
• extended-stats
• force-routing-mode
• ha-conn-mirror
• ip-map-list
• ipinip
• message-switching
page 349
• name
• no-auto-up-on-aflex
• no-dest-nat
• redirect-to-https
• reset-on-server-selection-fail
• rtp-sip-call-id-match
• service-group
• skip-rev-hash
• snat-on-vip
• source-nat auto
• source-nat pool
• syn-cookie
• template
• template virtual-port
• use-default-if-no-server
• use-rcv-hop-for-resp
aaa-policy
Description Bind an AAM policy to the virtual port.
Syntax [no] aaa-policy policy-name
Mode Virtual port
access-list
Description Apply an Access Control List (ACL) to a virtual server port.
page 350
Syntax [no] access-list {acl-num | name acl-name}

[source-nat-pool {pool-name | pool-group-name}
[sequence-number num]]
acl-num | name acl-name Number of a configured IPv4 ACL (acl-num), or the name of a configured
IPv6 ACL (name acl-name).
source-nat-pool Name of a configured IP source NAT pool or pool group. Use this option
{pool-name | pool-group-name} to configure a policy-based source NAT. Source NAT is required if the
[sequence-number num] real servers are in a different subnet than the VIP.
The sequence-number option specifies the ACL position within the ACL
sequence associated with IP source NAT pools and are assigned to this
virtual port. The sequence number is important because the ACOS
device uses IP addresses in the pool associated with the first ACL
matching the traffic.
By default, the ACL sequence is based on the order in which you apply
them to the virtual port. The first ACL has sequence number 1, the sec-
ond ACL has sequence number 2, and so on. You can specify 1-32 as
the sequence number. To view the sequence, use the show running-
config command to view the configuration for this virtual port.
Default N/A
Mode Virtual port
Usage The ACL must be configured before you can apply it to a virtual port. To con-
figure an ACL, use the “access-list (standard)” or “access-list (extended)”
commands, which are described in the “Command Line Interface Reference”
document.
To permit or deny traffic on the virtual port, specify an ACL but do not specify
a NAT pool.
To configure policy-based source NAT, specify an ACL and a NAT pool. Use
an extended ACL. The source IP address must match on the client address.
The destination IP address must match on the real server address. The
action must be permit. The NAT pool is used only for traffic that matches the
ACL. This configuration allows the virtual port to have multiple pools, and to
select a pool based on the traffic.
Example The following commands configure a standard ACL to deny traffic from sub-
net 10.10.10.x, and apply the ACL to the inbound traffic direction on virtual
port 8080 on virtual server “slb1”:
ACOS(config)# access-list 99 deny 10.10.10.0 0.0.0.255

ACOS(config)# slb virtual-server vslb1
page 351
ACOS(config-slb vserver-vport)# access-list 99
Example The following commands configure policy-based source NAT, by binding

ACLs to NAT pools on the virtual port.

ACOS(config-slb virtual server)# port 80 tcp
ACOS(config-slb vserver-vport)# access-list 30 source-nat-pool pool1
ACOS(config-slb vserver-vport)# access-list 50 source-nat-pool pool2
aflex
Description Apply an aFleX policy to a virtual port.
Syntax [no] aflex policy-name
Replace policy-name with the name of a configured aFleX policy.
Default N/A
Mode Virtual port
Usage The normal form of this command applies the specified aFleX policy to the
port. The no form of this command removes the aFleX policy from the port.
For more information about aFleX policies, see the aFleX Scripting Language
Reference.
Example The following command applies aFleX policy “aflex1” to a virtual port:
ACOS(config-slb vserver-vport)# aflex aflex1
alternate
Description Enables switchover to another virtual port, based on specific conditions.
page 352
Syntax [no] alternate port port-num

{alt-port-service-type [switchover-event]}
port-num Port number of the alternate virtual port.
alt-port-service-type Service type of the alternate port, tcp or http.
switchover-event The event types that cause switchover from the primary port to the alternate
port:
For TCP alternate ports, you can specify the following:
• req-fail – Switches over if a request fails.
• when-down – Switches over if the service group for the primary port is
down.
For HTTP alternate ports, you can specify the following:
• serv-sel-fail – Switches over if SLB server selection fails.
• when-down – Switches over if the service group for the primary port is
down.
Default Not set
Mode Virtual port
bucket-count
Description Configure the number of traffic buckets used in a Scale Out configuration.
Syntax [no] bucket-count num
Replace num with the number of traffic buckets (1-256).
Mode Virtual port
page 353
clientip-sticky-nat
Description Configure client stickiness for outbound Next Hop Load Distributor (NHLD).
Syntax [no] clientip-sticky-nat
Default Disabled
Mode Virtual port
Usage Sticky NAT for outbound Next Hop Load Distributor (NHLD) provides a vir-
tual-port option to ensure the ACOS device always uses the same outbound
link for a given client’s traffic. You can enable it on individual virtual ports.
The Sticky NAT option applies only to NHLD. The option does not apply to
other features, such as SLB.
The sticky NAT option is not supported with the ip-rr (IP round-robin)
option.
conn-limit
Description Set the connection limit for a virtual port.
Syntax [no] conn-limit number [reset] [no-logging]
number Connection limit, 0-8000000 (8 million); 0 means no limit.
reset Sends a connection reset to the client, if the connection limit is reached. If
you omit this option, the connection silently drops and no reset is sent to the
client.
Default Not set. If you set a limit, the default action for any new connection request
after the limit has been reached is to silently drop the connection, without
sending a reset to the client. Logging is enabled by default.
Mode Virtual port
Usage The normal form of this command changes the current port’s connection
limit.
The no form of this command resets the port connection limit to its default
value.
The connection limit puts a hard limit on the number of concurrent

connections supported by the port. No more connections will be put on the
port if its number of current connections is already equal to or bigger than
the limit.
page 354
If you change the connection limiting configuration on a virtual port or virtual

become incorrect. To avoid this, do not change the connection limiting
configuration until the virtual server or port does not have any active
connections.
Example The following command changes a virtual port’s connection limit to 10000:

ACOS(config-slb vserver-vport)# conn-limit 10000
def-selection-if-pref-failed
Description Configure SLB to continue checking for an available server in other service
groups if all of the servers are down in the first service group selected by
SLB.
Syntax def-selection-if-pref-failed
Default Enabled
Mode Virtual port
Usage During SLB selection of the preferred server to use for a client request, SLB
checks the following configuration areas, in the order listed:
1. Layer 3-4 configuration items:
• aFleX policies triggered by Layer 4 events
• Policy-based SLB (black/white lists). PBSLB is a Layer 3 configura-
tion item because it matches on IP addresses in black/white lists.
2. Layer 7 configuration items:
• Cookie switching
• aFleX policies triggered by Layer 7 events
• URL switching
• Host switching
3. Default service group. If none of the items above results in selection of a
server, the default service group is used.
• In single service group configurations, this is the default service
group.
• If the configuration uses multiple service groups, the default service
group is the one that is used if none of the templates used by the
configuration selects another service group instead.
For example, if an CLIENT_ACCEPTED event triggers an aFleX policy, the

policy is consulted first. If an HTTP_REQUEST event triggers an aFleX policy,
page 355
the policy is consulted if none of the Layer 4 configuration items results in a

server selection.
The first configuration area that matches the client or VIP (as applicable) is
used, and the client request is sent to a server in the service group that is
applicable to that configuration area. For example, if the client's IP address is
in a black/white list, the service group specified by the list is used for the
client request.
When the def-selection-if-pref-failed option is enabled, SLB continues to

check for an available server in other service groups if all servers are down in
the first service group selected by SLB.
If Policy-Based SLB (PBSLB) is configured on the same virtual port, PBSLB

server-selection failures are not logged. This limitation does not affect
failures caused when a client is over itsr PBSLB connection limit. These
failures are still logged.
To disable the option, see “def-selection-if-pref-failed-disable” on page 1.
Example The following command enables this option:
ACOS(config-slb vserver-vport)# def-selection-if-pref-failed
def-selection-if-pref-failed-disable
Description Disable the def-selection-if-pref-failed option. (See “def-selection-if-pref-
failed” on page 1.)
Syntax def-selection-if-pref-failed-disable
disable
Description Disable a virtual port.
Syntax [no] disable
Default Enabled
Mode Virtual port
Example The following command disables a virtual port:

ACOS(config-slb vserver-vport)# disable
page 356
enable
Description Enable a virtual port.
Syntax [no] enable
Default Enabled
Mode Virtual port
Example The following command re-enables a virtual port:

ACOS(config-slb vserver-vport)# enable
extended-stats
Description Enable collection of peak connection statistics for a virtual port.
Default Disabled
Mode Virtual port
force-routing-mode
Description Disables destination NAT, so that server responses go directly to clients.
Syntax [no] force-routing-mode
Default Disabled
Mode Virtual port
For IPv4 VIPs, DSR is supported on virtual port (service) types TCP, UDP,
FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types TCP,
UDP, and RTSP.
page 357
ha-conn-mirror
Description Enable connection mirroring (session synchronization) for the virtual port.
Syntax [no] ha-conn-mirror
Default Disabled.
Mode Virtual port
Usage Connection mirroring applies to VRRP-A configurations. When connection

mirroring is enabled, the Active AACOS device sends information about
active client connections to the Standby ACOS device. If a failover occurs,
the newly Active ACOS device continues service for the session. The client
perceives very brief or no interruption.
When connection mirroring is disabled, client session information is lost.

Clients must establish new connections.
In VRRP-A deployments, session synchronization is required for persistent
sessions (for example, source-IP persistence), and is therefore automatically
enabled for these sessions by the ACOS device. Persistent sessions are
synchronized even if session synchronization is disabled in the
configuration.
Session synchronization applies only to certain virtual port types. The ha-
conn-mirror command is listed in the CLI help only for those virtual port
types.
ip-map-list
Description Applies an IP map list to the virtual port.
Syntax [no] ip-map-list list-name
Default Not set
Mode Virtual port
ipinip
Description Enables IP-in-IP tunneling. This option is available only on the following port
types: TCP, UDP, RSTP, FTP, MMS, SIP, TFTP and Radius.
Syntax [no] ipinip
Mode Virtual port
page 358
message-switching
Description Enable message switching.
This causes messages to be forwarded in their entirety, one hop at a time.

Each message is treated as its own individual entity.
Syntax [no] message-switching
Mode Virtual port
name
Description Change the name assigned to the virtual port.
Syntax name string
Replace string with the name for the virtual port.
Default The ACOS device assigns a name that uses the following format:
_vip-addr_service-type_portnum
Mode Virtual port
no-auto-up-on-aflex
Description Disable automatic setting of an aFleX-bound virtual port’s state to Up.
Syntax [no] no-auto-up-on-aflex
Default Disabled. If an aFleX script is bound to the virtual port, the port is automati-
cally marked Up.
Mode Virtual port
Usage This command applies only if an aFleX script is bound to the virtual port.
no-dest-nat
Description Disable destination NAT.
Syntax [no] no-dest-nat [port-translation]
For wildcard VIPs, the port-translation option enables the ACOS device to
translate the destination protocol port in a client request before sending the
request to a server.
This option is useful if the real port number on the server is different from the
virtual port number of the VIP. Without this option, the ACOS device sends
page 359
the request to the server without changing the destination port number.
This option does not change the destination IP address of the request.
This option is supported only for virtual ports that are on wildcard VIPs.
Default Destination NAT is enabled by default.
Mode Virtual port
Usage This option can be used for Direct Server Return (DSR) or for wildcard VIPs.
Direct Server Return
For virtual servers that have a specific virtual IP address (VIP), disabling
destination NAT enables Direct Server Return (DSR). When DSR is enabled,
only the destination MAC address is translated from the VIP’s MAC address
to the real server’s MAC address. The destination IP address is still the VIP.
In DSR topologies, reply traffic from the server to the client is expected to
bypass the ACOS device.
In the current release, for IPv4 VIPs, DSR is supported on virtual port types
(service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on
virtual port types TCP, UDP, and RTSP.
Wildcard VIPs
For wildcard VIPs (VIPs that can have any IP address), this option enables
the ACOS device to send the client request to the server without changing
the destination IP address of the request.
The destination port of the request also is unchanged, unless you use the
port-translation option. (See above.)
Depending on the network topology and the application, reply traffic from the
server to the client may or may not pass back through the ACOS device. If
the port-translation option is used, and reply traffic passes through the
ACOS device, the ACOS device translates the source port of the server reply
back into the destination port to which the client sent the request, before
forwarding the reply to the client.
The port-translation option is supported only for the following virtual port
types: TCP, UDP, and HTTP/HTTPS.
rate-limit-pr-log
Description For Thunder integrations with the A10 Lightning Controller, this commands
configures the rate limit for Per Request logging. This is used to prevent the
Thunder devices from sending too many log messages to the Lightning Con-
page 360
troller at a rate that would exceed the capability of the controller to accept
them.
Syntax [no] rate-limit-pr-log num
Default Disabled
Mode Virtual port
Usage This command is only available on HTTP virtual ports.
redirect-fwd
Description In a single partition SSLi deployment, the forward direction steers layer 2
traffic from client to Internet on the specified interface.
Syntax [no] redirect-fwd {ethernet eth-id | trunk trunk-id}
Default Disabled
Mode Virtual port
Usage This is only supported under the wildcard VIP 0.0.0.0 for SSLi..
Example The following example shows using the redirect-fwd command to select
the forward direction for steering the layer 2 traffic from the client destined
for a traffic inspection device out Ethernet 3.
ACOS(config)# slb virtual-server inside1 0.0.0.0 acl 102

ACOS(config-slb vserver-vport)# service-group sg_real_server_tcp
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 3
page 361
redirect-rev
Description In a single partition SSLi deployment, the reverse direction steers layer 2 traf-
fic from Internet to client on the specified interface.
Syntax [no] redirect-rev {ethernet eth-id | trunk trunk-id}
Default Disabled
Mode Virtual port
Usage This is only supported under the wildcard VIP 0.0.0.0 for SSLi..
Example The following example shows the redirect-rev command to select the
reverse direction for steering the layer 2 traffic destined for the security
device from the Internet out Ethernet 5.
ACOS(config)# slb virtual-server outside1 0.0.0.0 acl 103

ACOS(config-slb vserver-vport)# service-group sg_real_server_tcp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 5
page 362
redirect-to-https
Description Responds to client HTTP requests with an HTTP redirect response with
response code 302 (Moved Permanently). The client is redirected to the
same host and URI they requested, but using HTTPS instead of HTTP.
Syntax [no] redirect-to-https
Default Disabled
Mode Virtual port
Usage This command is only available on HTTP virtual ports.
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Syntax [no] reset-on-server-selection-fail
Default Disabled
Mode Virtual port
Usage The TCP template reset-rev option also can be used to send a RST to cli-
ents. In AX releases prior to 2.2.2, the reset-rev option would send a RST in
response to a server selection failure. In AX Release 2.2.2 and later, this is no
longer true. The reset-on-server-selection-fail option must be used
instead.
Description Causes RTP traffic try to match the real server of an SIP SMP call-id session.
This command is used in conjunction with the smp-call-id-rtp-session

option under SIP template configuration (“slb template sip (over UDP)” on
page 97), which creates a cross-CPU RTP session that can be matched by
RTP traffic.
Syntax [no] rtp-sip-call-id-match
Mode Virtual port
Example The example below shows a sample configuration:
!
slb template sip test
!
page 363
!
slb virtual-server vv 0.0.0.0
port 0 udp
skip-rev-hash
message-switching
force-routing-mode
no-dest-nat
service-group win
port 5060 sip
message-switching
force-routing-mode
service-group winms
template sip test
!
service-group
Description Bind a virtual port to a service group.
Syntax [no] service-group group-name
Replace group-name with the service-group name.
Default N/A
Mode Virtual port
Usage The normal form of this command binds the virtual port to the specified ser-
vice group. The “no” form of this command removes the binding.
One virtual port can be associated with one service group only, while one
service group can be associated with multiple virtual ports. The type of
service group and type of virtual port should match. For example, a UDP
service group can not be bound to an HTTP virtual port.
skip-rev-hash
Description Will not insert reverse tuple into the hash for lookup. This is used with aFlex
with stateless load-balancing methods.
Syntax [no] skip-rev-hash
Mode Virtual port
Example The following example shows how to activate this feature.
page 364

ACOS(config-slb vserver-vport)# skip-rev-hash
snat-on-vip
Description Enable IP NAT support for the virtual port.
Syntax [no] snat-on-vip
Default Disabled
Mode Virtual port
Usage Source IP NAT can be configured on a virtual port in the following ways:
1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration
level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source
NAT is configured using an ACL on the virtual port, and the slb snat-on-vip
command is also used, then a pool assigned by the ACL is used for traffic
that is permitted by the ACL. For traffic that is not permitted by the ACL, VIP
source NAT can be used instead.
The device does not support source IP NAT on FTP or RTSP virtual ports.
source-nat auto
Description Configure Smart NAT, to automatically create NAT mappings using the
ACOS interface connected to the real server.
Syntax [no] source-nat auto [precedence]
This option is applicable if standard NAT pools are also used by the virtual
port. In this case, using the precedence option causes Smart NAT to be used
before the standard NAT pools are used.
Default Disabled
Mode Virtual port
Usage Up to 45 K mappings per real server port are supported. The ACOS device
can use the same ACOS interface IP address and port for more than one
server connection. The combination of ACOS IP address and port number
(source) and server IP address and port (destination) uniquely identifies
each mapping.
page 365
Smart NAT can be used along with standard NAT pools or pool groups. In
this case, by default, the standard pool addresses are used first. Smart NAT
is used only when the standard pools can not support any more mappings.
You can change this behavior so that Smart NAT is used first.
Additional Notes
• Smart NAT applies only to ACOS devices deployed in route mode (“gate-
way” mode). The feature is not applicable to devices in transparent
mode.
• Smart NAT uses only the primary IP address on an interface, even if
multiple addresses are configured on the interface.
• Smart NAT uses protocol ports 20032-65535.
• Smart NAT is not supported on SIP, SIP-TCP, or SIPS virtual ports.
• VRRP-A support:
• A floating IP addresses is required for session synchronization.
• Bind the service group to only a single virtual port. If this is not possi-
ble, ensure all virtual ports bound to the service group have the same
VRID.
source-nat pool
Description Enable source NAT. Source NAT is required if the real servers are in a differ-
ent subnet than the VIP.
This command is not applicable to the MMS or RTSP service types.

Syntax [no] source-nat pool {pool-name | pool-group-name}
pool-name Specifies the name of an IP pool of addresses to use as
source addresses.
pool-group-name Specifies the name of a group of IP address pools to use
as source addresses.
Default Disabled.
Mode Virtual port
Usage This command enables source NAT using a single NAT pool or pool group,
for all source addresses. If you want the ACOS device to select from among
multiple pools based on source IP address, configure policy-based source
NAT instead. See “access-list” on page 1.
Example The following example enables source NAT for the virtual port:
ACOS(config-slb vserver-vport)# source-nat pool pool2
page 366
stats-data-disable
Description Disable collection of statistical data for the virtual port.
Mode Virtual port
stats-data-enable
Description Enable collection of statistical data for the virtual port.
Mode Virtual port
lection also must be enabled globally. (See “slb resource-usage” on
page 497.)
syn-cookie
Description Enable software-based SYN cookies for a virtual port. SYN cookies provide
protection against TCP SYN flood attacks.
Syntax [no] syn-cookie [expand]
The expand option enables expanded SYN cookie support. When enabled, the
ACOS device can encode values for the following TCP options in the SYN-
ACK:
• Windows Scale for outbound traffic (send)

• Windows Scale for inbound traffic (receive)
• Selective acknowledgement (SACK) flag
These options are described in RFC 1323, TCP Extensions for High
Performance.
Default Disabled.
Mode Virtual port
Usage If hardware-based SYN cookies are enabled, software-based SYN cookies

are not needed and are not used. (Hardware-based SYN cookies are enabled
at the global configuration level. See “syn-cookie” in the Command Line Inter-
face Reference guide.
page 367
For software-based SYN cookies, the ACOS device bases Selective

Acknowledgment (SACK) support, and the maximum segment size (MSS)
setting, in software-based SYN cookies on server replies to TCP health
checks sent to the servers.
SACK
The ACOS device includes the Sack-Permitted option in TCP SYN health
check packets sent to servers.
• If all up servers in the service group reply with a TCP SYN-ACK that con-
tains a SACK option, the ACOS device uses SACK with the software-
based SYN-cookie feature, for all servers in the service group.
• If any of the up servers in the service group does not send a SACK
option, the ACOS device does not use SACK with the software-based
SYN-cookie feature, for any servers in the service group.
The software-based SYN-cookie feature cannot enable SACK. When
upgrading an ACOS device, SACK option is ignored even when specified by
startup-config
MSS
The lowest MSS value supported by any of the servers in the service group is
the MSS value used by the ACOS device for software-based SYN-cookies.
template
Description Apply an SLB configuration template to a virtual port.
Syntax [no] template template-type template-name
template-type Type of template. The template types that are available depend on the service type of
the virtual port. To list the available template types, enter the following command: tem-
plate ?
For information about the virtual-port template type, see “template virtual-port” on
page 369.
template-name Name of the template.
Default If the ACOS device has a default template that is applicable to the service
type, the default template is automatically applied. The ACOS device has a
default virtual-port template, which is applied to a virtual port when you cre-
ate it.
Mode Virtual port
page 368
Usage The normal form of this command applies the specified template to the vir-
tual port. The no form of this command removes the template from the vir-
tual port but does not delete the template itself.
A virtual port can be associated with only one template of a given type.
However, the same template can be associated with more than one virtual
port. To bind a virtual-port template to the port, see “template virtual-port” on
page 1.
Example This example applies connection reuse template “reuse-template” to a virtual

port:
ACOS(config-slb vserver-vport)# template connection-reuse reuse-template
template virtual-port
Description Bind a virtual service port template to the virtual port.
Syntax [no] template virtual-port template-name
Default The virtual port template of “default” is bound to virtual ports by default.
Parameter settings in this default template are automatically applied to the
new virtual port, until a different virtual port template is bound to the virtual
port.
Mode Virtual port
Usage If a parameter is set individually on this virtual port and also is set in a virtual
port template bound to this virtual port, the individual setting on this port is
used instead of the setting in the template.
To configure a virtual port template, see “slb template virtual-port” on

page 603.
Example These commands configure a virtual service port template named “com-
mon-vpsettings”, set the connection limit, and bind the template to a virtual
port:
ACOS(config)# slb template virtual-port common-vpsettings

ACOS(config-vport)# conn-limit 500000
ACOS(config-slb vserver-vport)# template virtual-port common-vpset-
tings
page 369
use-default-if-no-server
Description Forward client traffic at Layer 3, if SLB server selection fails.
Syntax [no] use-default-if-no-server
Default Disabled. If SLB server selection fails, the traffic is dropped.
Mode Virtual port
Usage This command applies only to wildcard VIPs (VIP address 0.0.0.0).
Description Force the ACOS device to send replies to clients back through the last hop
on which the request for the virtual port's service was received.
Syntax use-rcv-hop-for-resp [ src-dst-ip-swap-persist |

use-src-ip-for-dst-persist | use-dst-ip-for-src-persist ]
src-dst-ip-swap-persist Creates a persistent session after the source IP and destination IP have
been swapped. The new persistent session that is created should match
both the source IP and the destination IP. This option should be used with
the incl-dst-ip option for the ALG FWLB feature. This option cannot be
used for the SIP protocol, because a SIP transaction may involve three or
more parties.
use-src-ip-for-dst-persist Creates a destination persistent session based on the source IP.
use-dst-ip-for-src-persist The ACOS device uses the destination IP to create source-IP persistent
sessions for SIP or FTP sessions. With enabled, the response packet go
through the same firewall as the client’s request packet, and the SIP ses-
sion and communication sessions will be load balanced through the
same firewall node.
Default Disabled.
Mode Virtual port
Usage For simple protocols, load balancing across a firewall is relatively easy. How-
ever, load balancing Application Layer Gateway (ALG) protocols, such as SIP
and FTP, which have multiple connections that can originate from either side
of the firewall deployment can be more challenging. The lack of predictability
that occurs with ALG protocols can cause the protocol’s control connection
and data connection to be sent to different firewalls, thus causing the appli-
cation to break.
The ACOS device uses use-rcv-hop-for-resp and sub-options to load

balance ALG protocols through a firewall deployment consisting of paired
firewalls.
page 370
For the use-rcv-hop-for-resp command to work for incoming packets on

the default VLAN, you must also configure vlan-global enable-def-vlan-
l2-forwarding. For example:
ACOS(config)# vlan-global enable-def-vlan-l2-forwarding

ACOS(config)# slb virtual-server outbound_wc 0.0.0.0 acl 100
ACOS(config-slb vserver-vport)# service-group SG_TCP
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
For more information, refer to the “ALG Protocol FWLB Support for FTP and
SIP” chapter in the Application Delivery and Server Load Balancing Guide.
page 371
page 372
Config Commands: Health Monitors
This chapter describes the CLI commands available to configure SLB health monitors:
• disable-after-down
• dsr-l2-strict
• interval
• method
• override-ipv4
• override-ipv6
• override-port
• passive
• retry
• ssl-ciphers
• strictly-retry-on-server-error-response
• up-retry
To access this configuration level, enter the health monitor command at the global configuration level.

ACOS(config-health:monitor)#
For more information about health monitors, see the “Health Monitoring” chapter of the Application
Delivery and Server Load Balancing Guide.
page 373
disable-after-down
Description Disable the target of a health check if the target fails the health check.
Syntax [no] disable-after-down
Default Disabled
Mode Health monitor configuration
Usage This command applies to all servers, ports, or service groups that use the
health monitor. When a server, port, or service group is disabled based on
this command, the server, port, or service group’s state is changed to dis-
able in the running-config. If you save the configuration while the server,
port, or service group is disabled, the state change is written to the startup-
config.
The server, port, or service group remains disabled until you explicitly enable
it.
dsr-l2-strict
Description In Layer 2 DSR environments, this option ensures that health check packets
are only sent to servers in the same Layer 2 network as the ACOS device.
Servers not in the same Layer 2 network are marked as DOWN by the health
check.
Syntax [no] dsr-l2-strict
Default Disabled
interval
Description Number of seconds between health check attempt, 1-180 seconds. A health
check attempt consists of the ACOS device sending a packet to the server.
The packet type and payload depend on the health monitor type. For exam-
ple, an HTTP health monitor might send an HTTP GET request packet.
Syntax [no] interval seconds [timeout seconds]
interval seconds Period between health check attempts, 1-180 seconds. Default is 5 seconds.
timeout seconds Period that ACOS waits for a reply to a health check, 1-12 seconds. The
default is 5 seconds.
page 374
method
Description Configure a health method.
Syntax [no] method method-options
Valid parameters for method-options are shown in the following table:
compound sub monitor-name Configures a compound health monitor. A compound health monitor
[sub monitor-name ...] consists of a set of health monitors joined in a Boolean expression
Boolean-operators (AND / OR / NOT). For more information, see the “Compound Health
Monitors” section in the “Health Monitoring” chapter of the Application
Delivery and Server Load Balancing Guide.
[no] database database-type Configures a database health monitor. The ACOS device sends a data-
db-name name base query to the specified server.
username username-string
password password-string • database database-type – Specifies the type of database to test:
[query-options]
• mssql
• mysql
• oracle
• postgresql
• db-name name – Specifies the name of the database to query.
• username username-string password password-string –

Specifies the login information required to access the database.
• query-options – Specifies query information:

send query
[receive expected-reply | receive-integer integer]
[row row-num column col-num]
• send query – SQL query to send to the database.
• receive expected-reply – Query result expected from the

database in order to pass the health check. To use the receive
(1-31 characters) or receive-integer (0-2147483647) options,
you also must use the send option. If you do not use send, the
ACOS device does not send a query.
• row row-num column col-num – For replies that consist of mul-

tiple results, the results are in a table. You can specify the row and
column location within the results table to use as the receive
string. If you do not specify the row and column, row 1 and col-
umn 1 are queried by default.
page 375
dns Sends a lookup request to the specified port number for the specified
{ipaddr | domain domain-name} domain name. By default, expects reply with code 0. You can specify a
[options] domain name or a server IP address as the target of the health check.
You also can configure the following options:
• expect response-code code-list – Specifies a list of response

codes, in the range 0-15, that are valid responses to a health check.
The DNS server can respond with any of the expected response
codes. By default, the expect list is empty, in which case the ACOS
device expects status code 0 (No error condition).
• port port-num – Specifies the protocol port number on which the

DNS server listens for DNS queries. Use this option if the server is
not using the default DNS port, 53.
• recurse {enabled | disabled} – Specifies whether the tested

DNS server is allowed to send the health check’s request to another
DNS server if the tested server can not fulfill the request using its
own database. Recursion is enabled by default.
• tcp – Enables use of TCP for a DNS health monitor.
• type {A | CNAME | SOA | PTR | MX | TXT | AAAA} – For health

checks sent to a domain name, specifies the record type the
responding server is expected to send in reply to health checks.
You can specify one of the following record types:
• A – IPv4 address record
• CNAME – Canonical name record for a DNS alias
• SOA – Start of authority record
• PTR – Pointer record for a domain name
• MX – Mail Exchanger record
• TXT – Text string
• AAAA – IPv6 address record
By default, the ACOS device expects the DNS server to respond to

the health check with an A record.
external [port portnum] Runs an external program (for example, a Tcl script) and bases the
program program-name health status on the outcome of the program. See “Usage” below for
[arguments argument-string] more information on health check using an external program.
[preference]
The preference option applies to weighted load-balancing methods
such as SNMP-based load balancing. (See the “SNMP-based Load Bal-
ancing” chapter in the Application Delivery and Server Load Balancing
Guide.)
External health methods are not supported in Direct Server Return

(DSR) deployments.
page 376
ftp Sends an FTP login request to the specified port. Expects OK message,
[[username name or Password message followed by OK message. Unless you use anon-
password string] ymous login, the username and password must be specified in the
port port-num] health check configuration.
http [options] Sends an HTTP request to the specified TCP port and URL. Expects OK
message (200).
You can specify the following options:
• expect {response-code code-list |

response-code-regex regex-code-list | text-string |
text-regex regex-text-string} – Specifies a response code,
response code with regular expressions, a text string, or text string
with regular expression expected from the server. To specify a range
of response codes for response-code, use a dash ( - ) between the
low and high numbers of the range. Use commas to delimit individ-
ual code numbers or separate ranges. By default, the ACOS device
expects response code 200 (OK).
• host {ipv4-addr | ipv6-addr | domain-name} [:port-num] –

Replaces the information in the Host field of the request sent to the
real server. By default, the real server’s IP address is placed in the
field.
• Kerberos-auth realm realm_name kdc ip/ipv6-addr port num

– Specifies Kerberos authentication by using the HTTP negotiation
mechanism. To enable Kerberos authentication on the health moni-
tor, enter a Kerberos realm as well as the IP address of the KDC
server and its related port.
• maintenance-code code-list – Specifies a response code that

indicates the server needs to be placed into maintenance mode. If
the ACOS device receives the specified status code in response to a
health check, the ACOS device changes the server’s health status to
Maintenance.
When a server’s health status is Maintenance, the server will accept

new requests on existing cookie-persistent or source-IP persistent
connections, but will not accept any other requests.
To leave maintenance mode, the server must do one of the follow-

ing:
• – Successfully reply to a health check by sending the expected

string or response code, but without including the maintenance
code. In this case, the server’s health status changes to Up.
• – Fail a health check. In this case, the server’s status changes to

Down.
The Maintenance health status applies to server ports and service-

group members. When a port’s status changes to Maintenance, this
change applies to all service-group members that use the port.
NOTE: The expect maintenance-code option applies only to serv-

ers in cookie-persistence or source-IP persistence configurations,
and can be used only for HTTP and HTTPS ports.
page 377
http [options] • port port-num – Specifies the protocol port on which the server lis-
(cont.) tens for HTTP traffic. Use this option if the server does not use the
default HTTP port, 80.
• url string – Specifies the request type and the page (url-path) to
which to send the request. By default, GET requests are sent for “ / ”,
the index.html page. You can specify one of the following:
• GET url-path
• HEAD url-path
• POST url-path postdata string
• POST / postfile filename
In a postdata string, use “=” between a field name and the value you
are posting to it. If you post to multiple fields, use “&” between the
fields. For example: postdata fieldname1=value&field-
name1=value. The string can be up to 255 bytes long.
• username name – Specifies the username required for HTTP access

to the server. Unless anonymous login is used, the username must
be specified.
https [options] Similar to an HTTP health check, except SSL is used to secure the con-
nection. The default port is 443.
The disable-sslv2hello option disables encapsulation of SSLv3,

TLSv1, or TLSv1.1 hello messages within the SSLv2 hello messages
for HTTPS health checks.
The cert cert-name and key key-name options are used to add an
SSL certificate and key to an HTTPS health monitor. When you use this
option, the ACOS device uses the certificate and key during the SSL
handshake with the HTTPS port on the server.
The certificate you plan to use with the health monitor must be present
on the ACOS device before you configure the health monitor.
icmp [transparent ipaddr] Sends an ICMP echo request to the server. Expects ICMP echo reply
message.
The transparent ipaddr option is applicable if the target of the

health monitor is reached through an intermediary device. The option
tests the path through the intermediary device to the target device.
imap Sends an IMAP login request with the specified username name and
[port port-num] password string. Expects reply with OK message.
[username name password string
[auth auth-type]] For the auth-type, you can specify one or more of the following
authentication methods:
• cram-md5—Challenge-response authentication. Note that the user’s

password will be used as the shared secret.
• login—Simple login authentication.
• plain—Plain text authentication.
If all three options are specified, plain will be selected.
If plain is not specified, then cram-md5 will be used.
page 378
kerberos-kdc kinit Configures a method to check accessibility of the KDC for obtaining a
principal password TGT.
{kdc-hostname | kdc-ipaddr}
[port port-num] • principal – Name of the Kerberos principal. This is the ACOS cli-
[tcp-only]
ent name presented to the server.
• password – Kerberos admin password.
• {kdc-hostname | kdc-ipaddr} [port port-num] – Hostname

or IP address of the server where the KDC is running. The port
option specifies the protocol port on which the server listens for TGT
requests. The default KDC port is 88.
• tcp-only – Sends health checks only over TCP.

kerberos-kdc kadmin Configures a method to check accessibility of the Kerberos server for
realm-name principal password user account administration.
[port port-num] • realm-name – Name of the Kerberos realm.
{admin-hostname |
admin-ipaddr}
[port port-num] • principal – Name of the Kerberos principal.
• {kdc-hostname | kdc-ipaddr} [port port-num] – Hostname

or IP address of the Kerberos server. The port option specifies the
TCP port on which the server listens for user account administration
requests. The default TCP port is 749.
For information about the other options, see the descriptions for ker-
beros-kdc kinit (described above).
kerberos-kdc kpasswd Configures a method to check accessibility of the Kerberos server for
principal password user password change.
[port port-num] • {pwd-hostname | pwd-ipaddr} [port port-num] – Hostname
{pwd-hostname | pwd-ipaddr}
[port port-num] or IP address of the Kerberos server. The port option specifies the
UDP port on which the server listens for user password-change
requests. The default UDP port is UDP port 464.
For information about the other options, see the descriptions for ker-
beros-kdc kinit (described above).
page 379
ldap Configures a method to check accessibility the KDC for obtaining a
[StartTLS] TGT.
[binddn dn-string password]
[overssl] • StartTLS – Begins the health check by sending a StartTLS request.
[port port-num]
[run-search options]
• binddn dn-string password – DN name and password.
• overssl – Uses TLS to secure the connection.
• port port-num – UDP port on which the server listens for user
password-change requests. The default UDP port is UDP port 464.
• run-search options – Performs the specified database search.

The following options are supported:
• BaseDN dn-string – Searched the database for the specified

DN.
• query query-string [AcceptNotFound] – Sends the specified

query string to the server.
The AcceptNotFound option allows the health check to pass even if

the search query is unsuccessful.
ntp Sends an NTP client message to UDP port 123. Expects a standard
NTP 48-byte reply packet.
pop3 Sends a POP3 user login request with the specified username and
port port-num password. Expects reply with OK message.
username name
password string
radius username name Sends a Password Authentication Protocol (PAP) request to the speci-
password string fied port to authenticate the specified username. Expects Access
secret string Accepted message (reply code 2). The secret option specifies the
[port port-num] shared secret required by the RADIUS server.
[expect response-code
code-list]
The code-list can contain one or more numeric response codes. To
specify more than one code, use commas but no spaces. (See “CLI
Example” below.)
rtsp Sends a request to the specified port for information about the file
port port-num specified by rtspurl. Expects reply with information about the speci-
rtspurl string fied file.
page 380
sip Sends a SIP request to the SIP port. Expects 200 OK in response by
[register] default. The request is an OPTION request, unless you use the regis-
[port port-num] ter option to send a REGISTER request instead.
[expect-response-code values]
[tcp]
The expect-response-code option specifies a set of SIP status
codes. In this case, a SIP health check is successful only if the server
reply includes one of the specified SIP status codes. You can specify
any or a combination of individual code numbers and code ranges.
Use commas as delimiters, with no spaces. Use a dash and no spaces
to delimit the lower and upper values of a range. Examples:
expect-response-code 100,101,121,200
expect-response-code 100-121,200
expect-response-code any
The tcp option configures the health method for SIP over TCP/TLS.
Without this option, the health method is for SIP over UDP.
smtp Sends an SMTP Hello message to the specified server in the specified
domain domain-name domain. Expects reply with OK message (reply code 250).
port port-num
[mail-from sender An SMTP message is generated after establishing a TCP connection
rcpt-to receiver]
[starttls] with the server. The message is sent only after the ACOS device sends
the “HELO” message and receives the expected response. Use the
mail-from option to specify the SMTP sender of this message, and
the rcpt-to option to specify the recipient of this message.
You can optionally specify a specific port number, and also check for
STARTTLS support when the Hello message is received.
snmp [port port-num] Sends an SNMP Get or Get Next request to the specified OID, from the
[community string] specified community. Expects reply with the value of the OID. The OID
[oid oid-name] can be sysDescr, sysUpTime, sysName, or another name in ASN.1
[operation {get | getnext}] style.
Although you can enter these objects in ASN.1 format, only MIB-2 OIDs
are supported.
tacplus username username Configures a method to check server availability by passing the
password password TACACS+ parameters, with secret and password encrypted.If authenti-
secret shared-secret cation is correct, a success message is returned that keeps the server
[port portnum] status marked as up.
[type inbound-ascii-login]
• username – Specify the username to authenticate (1-31 characters).
• password – Specify the password to authenticate (0-31 characters).

A password of '' means no password.
• shared-secret – Specify the shared secret for the TACACS+ server

(1-31 characters).
• port-num – Specify the TACACS+ port (1-65534, default 49).
• type inbound-ascii-login –The TACACS+ type. The currently

supported type is inbound-ascii-login, which is also the default.
page 381
tcp Sends a connection request (TCP SYN) to the specified TCP port on
port port-num the server. Expects TCP SYN ACK in reply.
[halfopen]
[send send-string By default, ACOS responds to the SYN ACK by sending an ACK. To con-
response contains
response-string] figure ACOS to send a RST (Reset) instead, use the halfopen option.
Use the send and response contains options to send and receive
text strings in TCP health checks.
The send-string is the string the ACOS device sends to the TCP port
after the three-way handshake is completed. The response-string is the
string that must be present in the server reply.
Each string can be 1-127 characters long. If a string contain blank

spaces or other special characters (for example, “ / ” or “ \ ”), use dou-
ble quotation marks around the entire string.
udp port port-num Sends a packet with a valid UDP header and a garbage payload to the
specified UDP port on the server. Expects either of the following:
• server reply from the specified UDP port, with any type of packet.
• server does not reply at all.
The server fails the health check only if the server replies with an ICMP
Error message.
Default The configuration has a default “ping” health monitor that uses the icmp
method. The ACOS device applies the ping monitor by default. The ACOS
device also applies the TCP or UDP health monitor by default, depending on
the port type. These default monitors are used even if you also apply config-
ured monitors to a service port.
To use differently configured ping or TCP/UDP monitors, configure new

monitors with the ICMP, TCP, or UDP method and apply those monitors
instead.
When specifying a protocol port number, specify the port number on the real
server, not the port number of the virtual port. By default, the well-known port
number for the service type of the health monitor is used. For example, for
LDAP, the default port is 389 (or 636 if the overssl option is used).
If you specify the protocol port number in the health monitor, the protocol
port number configured in the health monitor is used if you send an on-
demand health check to a server without specifying the protocol port. (See
the “health-test” command in the Command Line Interface Reference. After
you bind the health monitor to a real server port, health checks using the
monitor are addressed to the real server port number instead of the port
number specified in the health monitor’s configuration. In this case, you can
override the IP address or port using the override commands described
later in this chapter.
page 382
Usage To use a health method, you must do the following:

1. Configure a health monitor, by assigning a name to it and by assigning
one of the health methods listed above to it. Use the health monitor
command at the global Config level to create and name the monitor.
(See the “health monitor” command in the Command Line Interface Refer-
ence.) Use the method command at the monitor configuration level to
assign a health method to the monitor.
2. Apply the health monitor to a real server or real server port, using the
health-check command at the configuration level for the server or the
server port. Apply monitors that use the ICMP method to real servers.
(See “health-check” on page 307.) Apply monitors that use any of the
other types of methods to individual server ports. (See “port” on
page 308.)
Example These commands apply health monitor “ping” to server “rs0”. The ping moni-
tor is included in the ACOS device’s configuration by default and does not
need to be configured.

ACOS(config-real server)# health-check ping
Example The following commands configure health monitor “hm1” to use the TCP
health method, and apply the monitor to a TCP port on real server “rs1”. The
TCP health checks are sent to TCP port 23 on the server.

ACOS(config-health:monitor)# method tcp port 23
ACOS(config-real server)# port 23 TCP
Example The following commands configure health monitor “hm2” and set it to use
the HTTP method. The health monitor is applied to port 80 on real server
“rs1”.

ACOS(config-health:monitor)# method http
ACOS(config-real server)# port 80 http
Example These commands configure a TCP health monitor that sends an HTTP GET
request to TCP port 80, and expects the string “200” to be present in the
reply:
ACOS(config)# health monitor tcp-with-http-get

ACOS(config-health:monitor)# method tcp port 80 send "GET / HTTP/1.1\r\nHost:
page 383
22.1.2.2\r\nUser-Agent: a10\r\nAccept: */*\r\n\r\n" response contains 200
This health monitor sends an HTTP GET request to TCP port 80 on the target
server. This particular request uses the following header fields:
• Host – Specifies the host (server) to which the request is being sent.
• User-Agent – Identifies the entity (user agent) that is sending the
request. In this example, the sending entity is “a10”.
• Accept – Specifies the types of media that are allowed in the response.
This example uses wildcards (*/*) to indicate that any valid media type
and range are acceptable.
If the string “200” is present anywhere in the reply from the port, the port
passes the health check.
Example The following commands configure a RADIUS health monitor that accepts
response code 2 or 3 as passing (healthy) responses from a server:
ACOS(config)# health monitor rad1

ACOS(config-health:monitor)# method radius port 1812 expect response-code 2,3 secret
a10rad username admin1 password pwd1
Example Here is an external health-check example. Besides internal health checks,

which use a predefined health check method, you can use external health
checks with any of the following types of scripts are supported:
• Perl
• Shell
• TCL
Utility commands such as ping, ping6, wget, dig, and so on are supported.
For Tcl scripts, the health check parameters are transmitted to the script
through the predefined TCL array ax_env. The array variable
ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the
server port number. Set ax_env(Result) 0 as pass and set the others as fail.
TCL script filenames must use the “.tcl” extension.
To use the external method, import the program onto the ACOS device. The
script execution result indicates server status, which is stored in
ax_env(Result).
The following commands import external program “ext.tcl” from FTP server
192.168.0.1, and configure external health method “hm3” to use the
imported program to check the health of port 80 on the real server:
ACOS(config)# health external import "checking HTTP server" ftp://192.168.0.1/ext.tcl
ACOS(config-health:monitor)# method external port 80 program ext.tcl
page 384
For additional information and more examples, see the “External Health
Method Examples” section in the “Health Monitoring” chapter of the
override-ipv4
Description Send the health check to a specific IPv4 address, instead of sending the
health check to the IP address of the real server or GSLB service IP to which
the health monitor is bound. This command and the other override com-
mands are particularly useful for testing the health of remote links.
Syntax [no] override-ipv4 ipaddr
Default By default, a health check is addressed to the real server IP address of the
server to which the health monitor is bound.
Example The following commands configure a health monitor to check 192.168.1.1:
ACOS(config)# health monitor site1-hm

ACOS(config-health:monitor)# method icmp
ACOS(config-health:monitor)# override-ipv4 192.168.1.1
override-ipv6
Description Send the health check to a specific IPv6 address, instead of sending the
health check to the IP address of the real server to which the health monitor
is bound.
Syntax [no] override-ipv6 ipv6addr
Default By default, a health check is addressed to the real server IP address of the
server to which the health monitor is bound.
Example These commands configure a health monitor to check 2001:db8::1521:31ab:

ACOS(config-health:monitor)# method icmp
ACOS(config-health:monitor)# override-ipv6 2001:db8::1521:31ab
page 385
override-port
Description Send the health check to a specific protocol port, instead of sending the
health check to the server port to which the health monitor is bound.
Syntax [no] override-port portnum
Default By default, a health check is addressed to the protocol port number to which
the health monitor is bound.
Example These commands configure a health monitor to check port 8081 on

192.168.1.1:

ACOS(config-health:monitor)# override-ipv4 192.168.1.1
ACOS(config-health:monitor)# override-prt 8081
passive
Description Configures inband health monitoring based on HTTP status code.
Syntax [no] passive

{status-code-2xx | status-code-non-5xx}
[passive-interval seconds]
[sample-threshold samples-per-second]
[threshold percent]
status-code-2xx | Healthy status code numbers – These status codes indicate the HTTP ser-
status-code-non-5xx vice is healthy. You can specify any 2xx status code or any status code except
a 5xx code.
passive-interval seconds The health-monitor interval that is used when passive health monitoring is
activated. For proper operation of the feature, the passive interval should be
longer than the health monitor’s interval. You can specify 1-180 seconds.
The default is 10 seconds.

sample-threshold Minimum number of server replies that must contain one of the specified sta-
samples-per-second tus codes, within a one-second interval, before passive health monitoring is
enabled. The sample threshold prevents passive health monitoring from tak-
ing effect after only a small total number of samples are taken. You can spec-
ify 1-10000 samples per second. The default is 50.
threshold percent Minimum percentage of server replies that must contain a healthy status
code, within a given one-second interval, before passive health monitoring is
activated. You can specify 0-100 percent.
The default is 75 percent. If you specify 0, this parameter is disabled, in which

case there is no minimum threshold.
page 386
Example The following commands create a new health monitor, and enable passive
health-monitoring mode:
ACOS(config)# health monitor http-passive

ACOS(config-health:monitor)# passive status-code-2xx
The following command sets the method to HTTP:

The following commands configure a real server, service group, and virtual
server. The HTTP health monitor configured above is applied to the TCP port
on the real server.
ACOS(config)# slb server ser1 172.168.1.107
ACOS(config-real server)# no health-check
ACOS(config-real server-node port)# health-check http-passive
ACOS(config-slb svc group)# member ser1 80
retry
Description Maximum number of times ACOS will send the same health check to an
unresponsive server before determining that the server is down. You can
specify 1-5.
Syntax [no] retry number
Default 3
page 387
ssl-ciphers
Description Specify the ciphers to use in the health check of a real server or real server
port.
Syntax [no] ssl-ciphers openSSL-ciphers
openSSL- The OpenSSL Project ciphers command.
ciphers
For information on the OpenSSL Project ciphers command,
see the ciphers manpage in the OpenSSL Project documenta-
tion.
Example Configure a health monitor to use the default OpenSSL Project cipher suite
with the exclusion of EDH ciphers.
ACOS(config)# health monitor hm-https

ACOS(config-health:monitor)# ssl-ciphers DEFAULT:!EDH
ACOS(config-health:monitor)# method https
Example Bind the hm-https health monitor to the s1 real server on its 1.1.1.1 network
interface.

ACOS(config-real server)# health-check hm-https
ACOS(config-real server)# end
Example Bind the hm-https health monitor to the TCP port 80 of the s1 real server on
its 1.1.1.2 network interface. Also apply the Server_SSL1 server-SSL tem-
plate to the same port.
If the Server_SSL1 server-SSL template specifies a cipher suite in its

configuration (cipher command), that cipher suite takes precedence if and
only if the ACOS device is equipped with hardware that supports the cipher.
The supported cipher are listed at https://www.a10networks.com/support/
axseries/appnotes/A10-Thunder-SSL_Cipher_List.pdf
ACOS(config-real server-node port)# template server-ssl Server_SSL1
ACOS(config-real server-node port)# health-check hm-https
ACOS(config-real server-node port)# end
page 388
strictly-retry-on-server-error-response
Description Force the ACOS device to wait until all retries are unsuccessful before mark-
ing a server or port Down.
Syntax [no] strictly-retry-on-server-error-response
Default Disabled. For some health method types, the ACOS device marks the server
or port Down after the first failed health check attempt, even if the retries
option for the health monitor is set to higher than 0.
Usage This command is applicable only to some types of health monitors, such as
HTTP health monitors. For example, this command applies to HTTP health
monitors that expect a string in the server reply. By default, if the server’s
HTTP port does not reply to the first health check attempt with the expected
string, the ACOS device immediately marks the port Down.
Example The following commands configure an HTTP health monitor that checks for
the presence of “testpage.html”, and enable strict retries for the monitor.
ACOS(config)# health monitor http-exhaust

ACOS(config-health:monitor)# method http url GET /testpage.html
ACOS(config-health:monitor)# strictly-retry-on-server-error-response
up-retry
Description Number of consecutive times the device must pass the same periodic health
check, in order to be marked Up. You can specify 1-10.
Syntax [no] up-retry number
Default 1
page 389
page 390
Config Commands: Web Category
This chapter describes the commands for configuring Web Category classification.
web-category
Description Configure the operation of web category classification.
Syntax [no] web-category
This command changes the CLI to configuration level for Web Category
classification, where the following commands are available:
TABLE 4 Commands in the web-category Configuration Mode.
Command Description
[no] category-list category-list-name Create a list of web categories to provide criteria used in con-
figuration forward-policy source destination rules. See the
destination command under the forward-policy com-
mand.
After entering the command, you are placed in a sub-config-

uration mode where predefined lists are specified to be part
of the named category-list. The command enable for web-
category must precede configuration of a category-list.
[no] cloud-query-disable Disables cloud queries for URLs that are not present in the
local cache or database.
By default, cloud queries are enabled.

[no] database-server server-url URL of the BrightCloud database server.
Default: database.brightcloud.com
[no] db-update-time hh:mm Time of day at which ACOS requests an updated web cate-
gory database from the BrightCloud server.
Default is 00:00 (12 a.m.).

[no] enable Initializes and enables the BrightCloud library. The web-cate-
gory license file must be imported prior to using this feature
to enable the feature.
Disabled by default.
page 391
Command Description
[no] port portnum Protocol port where the BrightCloud server listens for
requests.
Default is 80.
[no] proxy-server Command in web-category configuration mode that speci-
fies a proxy-server to use for querying the BrightCloud data-
base server. This command places you in a sub-
configuration mode, where the commands in Table 5 are
available.
[no] remote-syslog-enable Enables data plane logging to a remote syslog server.
[no] rtu-update-disable Disables realtime updates.
Enabled by default. ACOS periodically checks for realtime

updates based on the rtu-update-interval setting and
adds them to the service cache.
[no] rtu-update-interval minutes Interval at which to periodically check for real time updates.
You can specify 10-14400 minutes. Default is 60 minutes.
[no] server server-url URL of the BrightCloud server.
Default: service.brightcloud.com
[no] server-timeout seconds Maximum number of seconds to wait for BrightCloud server
to respond to a query from ACOS. You can specify 1-300
seconds.
If a reply is not received before the timeout, ACOS terminates

the connection with the server.
Default is 15 seconds.
[no] ssl-port seconds Protocol port where the BrightCloud server listens for SSL
traffic.
Default is 443.
[no] use-mgmt-port Uses the management interface for all communication with
BrightCloud servers, including downloading the database
and any lookup queries.
The proxy-server commands places the device in web-category-proxy-

server configuration mode. Figure 5 lists the commands available in this
mode.
TABLE 5 Sub-Commands in the web-category-proxy-server Configuration Mode

Command Description
[no] proxy-host hostID Sub-command in web-category-proxy-server configuration mode
to specify the proxy server’s hostname or IP address to connect to.
• hostID
Proxy server’s hostname or the proxy server’s IP address in
either IPv4 or IPv6 format.
page 392
TABLE 5 Sub-Commands in the web-category-proxy-server Configuration Mode

Command Description
[no] http-port port-num Sub-command in web-category-proxy-server configuration mode
to specify the proxy server port to connect to through HTTP proto-
col.
• port-num
Port number of the proxy server to connect to through HTTP
protocol. If https-port is not configured, both HTTPS and HTTP
communication will be handled through the configured HTTP
port.
[no] https-port port-num Sub-command in web-category-proxy-server configuration mode
to specify the proxy server port to connect to through HTTPS pro-
tocol. If no HTTPS port is specified, HTTP protocol will be used.
• port-num
Port number of the proxy server to connect to through HTTPS
protocol. If http-port is not configured, both HTTPS and HTTP
communication will be handled through the configured HTTPS
port.
[no] username proxy-auth-username Sub-command in web-category-proxy-server configuration mode
to specify the username to use for authentication when connect-
ing with the proxy server.
• proxy-auth-username
Username to use for proxy server authentication.

[no] password proxy-auth-password Sub-command in web-category-proxy-server configuration mode
for specifying the password to use for authentication when con-
necting with proxy server.
• proxy-auth-password
Password to use for proxy server authentication.

[no] auth-type {ntlm [domain Sub-command in web-category-proxy-server configuration mode
ntlm-realm]| basic} to specify the authentication protocol type when connecting to
proxy server. The following options are available in this command:
• ntlm domain ntlm-realm

Specify NTLM authentication protocol. Specifying NTLM realm
is optional.
NTLM version 2 is used if this protocol is configured. NTLM ver-

sion 1 is not supported.
• basic
Specify BASIC authentication protocol.
A username and password must be configured for the authentica-

tion protocol used.
page 393
Default N/A
Mode web-category configuration mode
Usage The web-category configuration defines actions related to URL classification

and
configuration for connecting with the BrightCloud servers and is normally
used in conjunction with forward-policy source rules that link destination
and matching rules for an slb template policy through a category-list and
specifying categories for bypassing traffic in the forward-proxy-bypass
command in slb template client-ssl for SSLi configuration. The URLs are
categorized in a third-party database (BrightCloud) that ACOS can download
and periodically pull down updates from.
Example Configure an ACOS device to use a proxy-server through NTLM authentica-

tion protocol to connect with BrightCloud servers.
ACOS(config)# web-category
ACOS(config-web-category)# proxy-server
ACOS(config-web-category-proxy-server)# proxy-host 192.0.2.0
ACOS(config-web-category-proxy-server)# http-port 3128
ACOS(config-web-category-proxy-server)# https-port 8080
ACOS(config-web-category-proxy-server)# auth-type ntlm domain example
ACOS(config-web-category-proxy-server)# username exampleadmin
ACOS(config-web-category-proxy-server)# password 0e1x2a3m4p5l6e7
ACOS(config-web-category-proxy-server)# exit
Example Configure the web-category list Mail_Categories, then apply that list to the
configuration of the forward-policy source list Any_Source. Any request
whose destination is in the Web_Mail_List web-category-list is forwarded.
ACOS(config-web-category)# enable
Please check the show log output for Web category enable status
ACOS(config-web-category)# category-list Web_Mail_List
ACOS(config-web-category-category-list)# web-based-email
ACOS(config-web-category-category-list)# exit
ACOS(config-web-category)# exit
ACOS(config)#
...
ACOS(config-policy-forward-policy)# source Any_Source
ACOS(config-policy-forward-policy-source)# match-any
ACOS(config-policy-forward-policy-source)# destination web-category-list Web_Mail_List
action ForwardMail
Example Enable web category classification, then apply web-category classification

to bypass SSLi decryption and inspection for websites classified as finan-
cial-services, educational-institutions, or health-and-medicine.
page 394
ACOS(config-web-category)# enable
ACOS(config-web-category)# exit
ACOS(config)#
...
ACOS-Inside(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-Inside(config-client ssl)# forward-proxy-bypass web-category financial-services
ACOS-Inside(config-client ssl)# forward-proxy-bypass web-category educational-institu-
tions
ACOS-Inside(config-client ssl)# forward-proxy-bypass web-category health-and-medicine
page 395
page 396
SLB Show Commands
The show slb commands display information for Server Load Balancing (SLB).
To automatically re-enter a show slb command at regular intervals, use the repeat command.
In addition to the command options provided with some show commands, you can use output modifi-
ers to search and filter the output. See “Searching and Filtering CLI Output” in the Command Line Inter-
face Reference.
NOTE: For information about other show commands, see the “Show Commands”
chapter in the Command Line Interface Reference.
• show slb aflow
• show slb attack-prevention
• show slb cache
• show slb compression
• show slb connection-reuse
• show slb conn-rate-limit
• show slb ddos-protection l4-entries
• show slb ddos-protection statistics
• show slb diameter
• show slb fast-http-proxy
• show slb fix
• show slb ftp
• show slb ftp-proxy
• show slb generic-proxy
• show slb geo-location
• show slb http-proxy
• show slb hw-compression
page 397
• show slb icap
• show slb l4
• show slb mssql
• show slb mssql
• show slb mysql
• show slb passthrough
• show slb performance
• show slb persist
• show slb pop3-proxy
• show slb rate-limit-logging
• show slb resource-usage
• show slb server
• show slb service-group
• show slb sip
• show slb smpp
• show slb smtp
• show slb spdy-proxy
• show slb ssl
• show slb ssl-cert-revoke-stats
• show slb ssl-counters
• show slb ssl-crl
• show slb ssl-expire-check
• show slb ssl-forward-proxy-cert
• show slb ssl-forward-proxy-stats
• show slb ssl-ocsp cache
• show slb ssl-ocsp cache detail
• show slb switch
• show slb syn-cookie-buffer
• show slb tcp stack
page 398
• show slb template
• show slb virtual-server
show slb aflow

Description Show aFlow statistics.
Syntax show slb aflow [detail]
detail List separate counters for each CPU in the statistics output.
Mode All
show slb attack-prevention

Description Show SYN-cookie statistics for the number of packets received during differ-
ent intervals of time.
Syntax show slb attack-prevention
Mode All
Usage When running the show slb attack-prevention command on an FTA-

enabled model, the “SYN attack” field does not show output for the historical
counters (1s/5s/30s/1min/5min). Output is only provided for the “current”
column.
This feature is supported for L3V private partitions in non-FTA-enabled

models. If the show slb attack-prevention command is run from an L3V
partition on an FTA-enabled model, the “SYN attack” counter displays zero
for all columns.
Example The following command shows SYN-cookie statistics:
ACOS# show slb attack-prevention

Current 1 sec 5 sec 30 sec 1 min 5 min
--------------------------------------------------------------------------------------
SYN cookie snt 0 0 0 0 0 0
SYN cookie snt ts 0 0 0 0 0 0
SYN cookie snt fail 0 0 0 0 0 0
SYN cookie chk fail 0 0 0 0 0 0
SYN attack 0 0 0 0 0 0
page 399
The following table describes the fields in the command output.
Field Description
SYN cookie snt Number of TCP SYN cookies sent.
SYN cookie snt ts Number of expanded TCP SYN cookies sent.
SYN cookie snt fail Number of TCP SYN cookie send attempts that failed.
SYN cookie chk fail Number of TCP SYN cookies for which the responding ACK failed the SYN cookie
check.
SYN attack Total number of SYN connections that did not receive an ACK from the client and
assumed to be SYN attack.
show slb cache

Description Display statistics and other information for RAM caching.
Syntax show slb cache

[entries vip-name port-num [url | detail] |
memory-usage |
replacement vip-name port-num |
stats [vip-name port-num]]
Option Description
entries vip-name port-num Shows a list of the cached objects for the specified VIP and virtual
port.
You can specify a url to further refine the statistics shown for each
cached entry/URL maintained under a cache template that is bound to
a virtual port.
If certain headers are present in the server response, such as Age, Via,
Connection, they will be removed and the ACOS device will add a sepa-
rate header for them before the response is stored in cache. Similarly if
the cache template has the remove-cookies option set, any cookie
header in the server response will be removed before saving the same
in cache.
If the url includes special characters such as a question mark, the

character must be represented in its octal notation as (for example,
\077 for the question mark) in the URL string. A URL name such as “/
testing?html” is specified as “/testing\077html” and it must be
enclosed within double quotes to ensure that it is interpreted correctly.
memory-usage Shows memory usage for RAM caching.
replacement vip-name port-num Shows replacement information for the specified virtual port on the
specified virtual server.
stats [vip-name port-num] Lists RAM caching statistics by VIP. If you specify a VIP or port num-
ber, statistics are displayed only for that VIP or port number.
Mode All
page 400
Usage If you do not use any of the optional parameters, RAM caching statistics are
displayed. This is equivalent to entering the show slb cache stats com-
mand.
Example The following command shows RAM caching statistics:
ACOS# show slb cache

Total
---------------------------------------------------------------
Cache Hits 0 (0.0 %)
Cache Misses 0
Memory Used 0
Bytes Served 0
Requests
- Total Requests 0
- Cacheable Requests 0
- No-cache Requests 0
- IMS Requests 0
Responses (from server)

- 304 Not Modified 0
- 200 OK - Cont Len 0
- 200 OK - Chnk Enc 0
- 200 OK - Other 0
- Not cacheable 0
Responses (from cache)

- 304 Not Modified 0
- 200 OK - No Comp 0
- 200 OK - Gzip 0
- 200 OK - Deflate 0
- Other 0
Entries
- Cached 0
- Replaced 0
- Aged Out 0
- Cleaned 0
- Create failures 0
Revalidation
- Successes 0
- Failures 0
page 401
Policies
- URI nocache 0
- URI cache 0
- URI invalidate 0
- Content Too Big 0
- Content Too Small 0
Field Description
Cache Hits Number of times a requested page was found in the cache and served from the
cache.
Cache Misses Number of times a requested page was not found in the cache.
Memory Used Amount of RAM currently used by cached content.
Bytes Served Number of bytes served.
Requests Contains the following conters:
• Total Requests – Total number of requests received on all virtual server ports on
which caching is configured.
• Cacheable Requests – Number of requests that are potentially cacheable.
• No-cache Requests – Number of requests with no-cache header directives.
• IMS Requests – Number of requests that contained an If-Modified-Since header.

Responses (from Contains the following counters:
server)
• 304 Not Modified – Number of “304 Not Modified” responses sent from the
server.
• 200 OK - Cont Len – Number of “200 OK - Cont Len” responses sent to clients.
• 200 OK - Chnk Enc – Number of “200 OK - Chnk Enc” responses sent to clients.
• 200 OK - Other – Number of “200 OK - Other” responses sent to clients.
• Not cacheable – Number of responses with no-cache header directives.
page 402
Field Description
Responses (from Contains the following counters:
cache)
• 304 Not Modified – Number of “304 Not Modified” responses sent from the cache.
• 200 OK - No Comp – Number of “200 OK - No Comp” responses sent from the

cache. “No Comp” indicates that the object is not compressed.
• 200 OK - Gzip – Number of “200 OK - Gzip” responses sent from the cache. This
indicates that an object was compressed using gzip. Gzip is an encoding format
produced by the file compression program “gzip” (GNU zip) as described in RFC
1952 (Lempel-Ziv coding [LZ77] with a 32 bit CRC).
• 200 OK - Deflate – Number of “304 Not Modified” responses sent from the cache.
This indicates that an object was compressed using deflate. Deflate is the “zlib”
format defined in RFC 1950 in combination with the “deflate” compression mecha-
nism described in RFC 1951.
• Other – Number of “Other” responses sent from the cache. This indicates that an
object was compressed using compress. Compress is the encoding format pro-
duced by the common UNIX file compression program “compress” (adaptive Lem-
pel-Ziv-Welch coding [LZW]).
Entries Contains the following counters:
• Cached – Number of objects currently in the cache.
• Replaced – Number of cached items that were removed to make room for newer
entries, per the replacement policy.
• Aged Out – Number of entries that were removed because they are older than
their expiration time.
• Cleaned – Number of cached objects that have aged out and therefore been
removed from the cache.
• Create Failures – Number of times ACOS failed to create a cache entry.

Revalidation Contains the following counters:
• Successes – Number of entries that were successfully revalidated by the server.
• Failures– Number of times revalidation failed.

Policies Contains the following counters:
• URI nocache – Number of times requested content was not cached due to a URI
policy.
• URI cache – Number of times a request was cached due to a URI policy.
• URI invalidate – Number of times a request was invalidated due to a URI policy.
• Content Too Big – Number of cacheable items that were not cached because the
file size was larger than the configured maximum content size.
• Content Too Small – Number of cacheable items that were not cached because
the file size was smaller than the configured minimum content size.
Example The following command shows cached objects:
page 403
ACOS# show slb cache entries vs-cookie-cache 80

vs-cookie-cache:80
Host Object URL Bytes Type Status Expires in
---------------------------------------------------------------------------------------
10.20.0.120 /static2/1000.txt 1365 CL,No FR 3410 s
10.20.0.120 /static2/1000000.txt 636152 CE,Gz FR 3594 s
10.20.0.120 /ewen/index.html 1479 CL,Mo FR -57 s
Field Description
cached-vip Virtual port number on which RAM caching is enabled.
Host IP address of the content server.
Object URL URL from which the cached object was obtained by the ACOS device.
Bytes Length of the cached object.
Type Indicates whether the cached object has a Content-Length header, is compressed, or is
chunk-encoded.
The value after the comma indicates the type of compression used:
• No – Object is uncompressed.
• Gz – Object was compressed using gzip. Gzip is an encoding format produced by the
file compression program “gzip” (GNU zip) as described in RFC 1952 (Lempel-Ziv
coding [LZ77] with a 32 bit CRC).
• Cm – Object was compressed using compress. Compress is the encoding format

produced by the common UNIX file compression program “compress” (adaptive
Lempel-Ziv-Welch coding [LZW]).
• Df – Object was compressed using deflate. Deflate is the “zlib” format defined in RFC
1950 in combination with the “deflate” compression mechanism described in RFC
1951.
Status Status of the entry:
• FR – Fresh
• ST – Stale
• IN – Incomplete
• FA – Failed
• UN – Unknown
• R – The entry must be revalidated.

Expires in Number of seconds the object can remain unused before it ages out.
Example The following command shows RAM caching memory usage:
page 404
ACOS# show slb cache memory-usage

VIP Port Memory Configured Memory Used Percent Used
---------------------------------------------------------------------------------------
vs120 80 10485760 8386560 79.98%
---------------------------------------------------------------------------------------
Total 10485760 8386560 79.98%
Example The following command shows replacement statistics:
ACOS# show slb cache replacement cached-vip 80

Frequency Total
---------------------------------------------------------------
1/256 6
1/128 0
1/64 0
1/32 0
1/16 0
1/8 0
1/4 0
1/2 0
1 0
2 0
4 0
8 0
16 0
32 0
64 0
128 2
The output shows the distribution of requests for the cached entries. Entries
listed for 1/256 (one in 256 requests) are the least requested, whereas
entries listed for 128 are the most requested.
page 405
show slb compression

Description Show HTTP compression statistics in bytes.
Syntax show slb compression

[virtual-server port-num]
[all-partitions | partition {shared | name}]
Option Description
virtual-server Show HTTP compression statistics for the specified virtual
port-num server only.
The port-num option shows information only for the speci-

fied virtual port on the virtual server.
all-partitions Show HTTP compression statistics in all partitions.
partition Show HTTP compression statistics in the specified partition
{shared | name} or shared partition.
Mode All
show slb connection-reuse

Description Show SLB connection-reuse statistics.
Syntax show slb connection-reuse [detail]
detail List separate counters for each CPU in the statistics output.
Mode All
Example The following command shows summary connection-reuse statistics:
ACOS# show slb connection-reuse

Total
------------------------------------------------------------------
Open persist 0
Active persist 0
Total established 1787
Total terminated 1787
Total terminated by err 0
Total bind 1277
Total unbind 2389
Delayed unbind 4
Long resp 0
Missed resp 0
Unbound data rcvd 0
page 406
Pause request 0
Pause request fail 0
Resume request 0
Not remove from list 0
Field Description
Open persist Number of new client connections directed to the same server as previous connec-
tions by the persistence feature.
Active persist Number of currently active connections that were sent to the same real server by the
persistence feature.
Total established Total number of established connections to the backend server.
Total terminated Total number of terminated connections to the backend server.
Total terminated by err Total Number of backend connections terminated due to an error.
Total bind Total number of client persistent connections bound to the backend server.
Total unbind Total number of client persistent connections unbound from the backend server.
Delayed unbind Number of connections whose unbinding was delayed.
NOTE: In the current release, this counter is unused and is always 0.

Long resp Number of responses that took too long.
Missed resp Number of missed responses to HTTP requests.
Unbound data rcvd Amount of data received on an unbound connection. This is used for debugging pur-
poses.
Pause request These are internal counters used by A10 Technical Support for debugging purposes.
Pause request fail
Resume request
Not remove from list
show slb conn-rate-limit

Description Show statistics for source-IP based connection rate limiting.
Syntax show slb conn-rate-limit src-ip

{locked-out-ips | statistics [debug]}
Mode All
Example This command shows statistics for source-IP based connection rate limit-
ing:
ACOS(config)# show slb conn-rate-limit src-ip statistics

Sessions allocated 0
Sessions freed 0
page 407
Too many sessions consumed 0

Out of sessions 0
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted 1000
No DNS response for request 1021000
The following table describes the fields in the show command output.
Field Description
Sessions allocated Number of sessions allocated.
Sessions freed Number of sessions freed.
Too many sessions con- Number of times too many sessions were consumed.
sumed
Out of sessions Number of times the device ran out of sessions.
Threshold check count Number of times the ACOS device has checked for connection-limit violations.
Honor threshold count Number of requests permitted because they were within the connection limit.
Threshold exceeded count Number of requests denied because they exceeded the connection limit.
Lockout drops Number of requests dropped because a client was locked out.
Log messages sent Number of log messages generated by this feature.
DNS requests re-transmitted Number of re-transmitted DNS requests detected. These are DNS requests for
which no response was received by the ACOS device.
No DNS response for request Number of DNS requests for which no response was received.
show slb ddos-protection l4-entries

Description This command displays abnormal L4 port entries from DDoS monitoring and
selective filtering.
Syntax show slb ddos-protection l4-entries

[address ipaddr | in-hardware | l4-proto protocol-num |
not-in-hardware | port port-num]
Example The following example displays sample output:
ACOS(config)# show slb ddos-protection l4-entries

Address L4 Port PPS
----------------------------------
1.1.1.1 17 333 5000
page 408
Usage The following table describes the fields for the show command output:
Field Description
Address The destination IP address that traffic is matched to.
L4 The Layer 4 protocol type. In the above example, L4 17 indicates UDP traffic.
Port The specific destination IP port that traffic is matched to.
HW? This indicates whether or not the entry is programmed into the hardware. A “Y” means
the entry is programmed into the hardware, and an “N’” means it is not.
Pkts in last 10 sec The number of packets that match the IP address and the given port in the last 10 sec-
onds.
show slb ddos-protection statistics

Description This command displays the logging statistics for SLB DDoS selective filter-
ing.
Syntax show slb ddos-protection statistics
Mode All
Example The following is a sample output:
ACOS# show slb ddos-protection statistics

L3 Entry Added 0
L3 Entry Deleted 0
L3 Entry Added to BGP 0
L3 Entry Removed From BGP 0
L3 Entry Added to HW 0
L3 Entry Removed From HW 0
Too Many L3 entries 0
L3 Entry Match Drop 0
HW L3 Entry Match Drop 0
L4 Entry Added 3
L4 Entry Deleted 2
L4 Entry Added to HW 3
L4 Entry Removed From HW 1
HW out of L4 Entries 0
L4 Entry Match Drop 5
HW L4 Entry Match Drop 2153756264
show slb diameter

Description Show statistics for Diameter load balancing.
page 409
Syntax show slb diameter [detail]
detail Show statistics per CPU in the output.
device Devi- If the ACOS device is a member of an aVCS virtual chassis, use
ceID this option to specify the device ID to which to apply this com-
mand. If you omit this option, the command is applied to the
vMaster.
However, if you have changed the device context of the man-

agement session from the vMaster to another device, and you
omit the device option, the command is applied only to the
other device (the one to which you set the device context).
Mode All
Example The following command shows statistics for Diameter load balancing:
ACOS# show slb diameter

Total
------------------------------------------------------------------
Current proxy conns 0
Total proxy conns 0
client fail 0
server fail 0
Server selection failure 0
no route failure 0
Source NAT failure 0
concurrent user-session 0
acr out 0
acr in 0
aca out 0
aca in 0
cea out 0
cea in 0
cer out 0
cer in 0
dwr out 0
dwr in 0
dwa out 0
dwa in 0
str out 0
str in 0
sta out 0
sta in 0
asr out 0
page 410
asr in 0
asa out 0
asa in 0
other out 0
other in 0
mismatch fwd session id
mismatch rev session id
unknown command code
no session id drop
no fwd tuple drop
no rev tuple drop
cross cpu fwd send
cross cpu fwd rcv
cross cpu rev send
cross cpu rev rcv
cross cpu fail
retry client req
retry client req fail
reply unknown session id
Field Description
Current proxy conns Number of active Diameter connections using the ACOS device as an Diameter
proxy.
Total proxy conns Number of Diameter connections that used the ACOS device as an Diameter
proxy.
client fail Number of times selection of a client failed.
server fail Number of times selection of a server failed.
Server selection failure Number of times selection of a real server failed.
no route failure Number of failures due to no route.
Source NAT failure Number of source NAT failures.
concurrent user-session Number of concurrent user sessions.
acr out Number of Accounting-Request messages sent by the ACOS device.
acr in Number of Accounting-Request messages received by the ACOS device.
aca out Number of Accounting-Answer messages sent by the ACOS device.
aca in Number of Accounting-Answer messages received by the ACOS device.
cea out Number of Capabilities-Exchange-Answer messages sent by the ACOS device.
cea in Number of Capabilities-Exchange-Answer messages received by the ACOS device.
cer out Number of Capabilities-Exchange-Request messages sent by the ACOS device.
cer in Number of Capabilities-Exchange-Request messages received by the ACOS
device.
dwr out Number of Device-Watchdog-Request messages sent by the ACOS device.
page 411
Field Description
dwr in Number of Device-Watchdog-Request messages received by the ACOS device.
dwa out Number of Device-Watchdog-Answer messages sent by the ACOS device.
dwa in Number of Device-Watchdog-Answer messages received by the ACOS device.
str out Number of Session-Termination-Request messages sent by the ACOS device.
str in Number of Session-Termination-Request messages received by the ACOS device.
sta out Number of Session-Termination-Answer messages sent by the ACOS device.
sta in Number of Session-Termination-Answer messages received by the ACOS device.
asr out Number of Abort-Session-Request messages sent by the ACOS device.
asr in Number of Abort-Session-Request messages received by the ACOS device.
asa out Number of Abort-Session-Answer messages sent by the ACOS device.
asa in Number of Abort-Session-Answer messages received by the ACOS device.
other out Number of other types of Diameter messages (other codes) sent by the ACOS
device.
other in Number of Diameter messages of other types received by the ACOS device.
ccr out Total Credit-Control-Request messages sent.
ccr in Total Credit-Control-Request messages received.
cca out Total Credit-Control-Answer messages sent.
cca in Total Credit-Control-Answer messages received.
ccr initial Total Credit-Control-Request-initial messages received.
ccr update Total Credit-Control-Request-update messages received.
ccr termination Total Credit-Control-Request-termination messages received.
cca termination Total Credit-Control-Answer-termination messages received.
term session on cca-t Total sessions ACOS terminated for Credit-Control-Answer-Termination.
mismatch fwd session id Client session ID does not match Diameter session table.
mismatch rev session id Server session ID does not match Diameter session table.
unknown command Drop Diameter session because of unrecognized command code.
code
no session id drop Cannot find session ID AVP in the message, drop request.
no fwd tuple drop Cannot match client L4 session, drop message.
no rev tuple drop Cannot match server L4 session, drop message.
cross cpu fwd send Number of client messages sent to server using different CPU.
cross cpu fwd rcv Number of client messages received by different CPU and sent to server.
cross cpu rev send Number of server message sent to client using different CPU.
cross cpu rev rcv Number of server message received by different CPU and sent to client.
cross cpu fail Number of failures during cross CPU process.
retry client req Number of times reselect is performed and a different server is chosen.
retry client req fail Failure counter for retry client features.
reply unknown session id Total unknown-session-id messages sent with error-code 5002.
page 412
show slb fast-http-proxy

Description Show statistics for SLB fast-HTTP proxy.
Syntax show slb fast-http-proxy [server-name port] [detail]
server-name port Show statistics for the specified server and port only.
Mode All
Example The following command shows summary fast-HTTP-proxy statistics:
ACOS# show slb fast-http-proxy

Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 0
HTTP requests 0
HTTP requests(succ) 0
No proxy error 0
Client RST 0
Server RST 0
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 0
Request over limit 0
Request rate over limit 0
Out RSTs 0
Full proxy tot 0
Full proxy POST 0
Full proxy pipeline 0
Full proxy fpga err 0
Close on DDoS 0
DNS unresolve 0
Policy drop 0
page 413
Field Description
Curr Proxy Conns Number of currently active connections using the fast-HTTP proxy.
Total Proxy Conns Total number of connections that have used the fast-HTTP proxy.
HTTP requests Number of HTTP requests received by the fast-HTTP proxy.
HTTP requests(succ) Number of HTTP requests successfully fulfilled (by establishing a connection to
a real server).
No proxy error Number of proxy errors.
Client RST Number of times TCP connections with clients were reset.
Server RST Number of times TCP connections with servers were reset.
No tuple error Number of tuple errors.
Parse req fail Number of times the HTTP parser failed to parse a received HTTP request.
Server selection fail Number of times selection of a real server failed.
Fwd req fail Number of forward request failures.
Fwd req data fail Number of forward request data failures.
Req retransmit Number of retransmitted requests.
Req pkt out-of-order Number of request packets received from clients out of sequence.
Server reselection Number of times initial selection of a real server for an HTTP request failed (for
example, due to a TCP Reset sent by the server).
Server premature close Number of times the connection with a server closed prematurely.
Server conn made Number of connections made with servers.
Request over limit Number of times the request limit was exceeded.
Request rate over limit Number of times the request rate limit was exceeded.
Out RSTs Number of TCP RSTs sent out.
Full proxy tot Total number of full proxy HTTP sessions.
Full proxy POST Total number of full proxy sessions for HTTP POST request.
Full proxy pipeline Total number of pipelined requests.
Full proxy fpga err Total number of FPGA errors.
Close on DDoS Number of times session is closed due to Denial of Service attack.
show slb fix

Description Show SLB statistics for the Financial Information Exchange (FIX) proxy.
page 414
Syntax show slb fix [detail]
Mode All
Example The following command shows FIX SLB statistics.
ACOS(config)# show slb fix

Total
------------------------------------------------------------------
Total proxy conns 2
Client fail 7
Server fail 2
no route failure 0
Insert client IP 5
Default switching 1
Sender ID switching 4
Target ID switching 0
Field Description
Current proxy conns Number of currently active connections using the FIX proxy.
Total proxy conns Total number of connections that have used the FIX proxy.
Client fail Number of times that the connection was terminated due to an error on the client
side.
Server fail Number of times that the connection was terminated due to an error on the server
side.
no route failure Number of times FIX failed due to a route lookup failure.
Source NAT Failure Number of source NAT failures.
Insert client IP Number of times that the ACOS inserted the client’s IP address into tag 11447 and
forwarded the recalculated request packet to the FIX server.
Default switching Number of times that the ACOS parsed the tag value from a client’s request and
selected a service-group based on a match with the configured tag keyword.
Sender ID Switching Instances of content switching based on the sender’s identification tag (SenderCom-
pID).
Target ID Switching Instances of content switching based on the receiver’s identification tag (Target-
CompID).
page 415
show slb ftp

Description Show SLB FTP statistics.
Syntax show slb ftp
Mode All
Example The following command shows SLB FTP statistics.
ACOS# show slb ftp

Total Control Sessions 0
Total ALG packets 0
ALG packets rexmitted 0
Total Data Sessions 0
Total PORT helper sessions 0
Total PASV helper sessions 0
Drop Data Port out of range 0
Field Description
Total Control Sessions Total number of FTP control sessions load-balanced by the ACOS device.
Total ALG packets Total number of Application Layer Gateway (ALG) packets.
ALG packets rexmitted Number of ALG packets that have been retransmitted.
Out of Connections Number of times an FTP control session could not be established because none of
the real servers had available connections.
Total Data Sessions Total number of FTP data sessions load-balanced by the ACOS device.
Out of Connections Number of times an FTP data session could not be established because none of
the real servers had available connections.
show slb ftp-proxy

Description Display FTP-proxy statistics.
Syntax show slb ftp-proxy [detail]
Mode All
show slb generic-proxy

Description Display generic-proxy statistics.
page 416
Syntax show slb generic-proxy [detail]
Mode All
show slb geo-location

Description Display geo-location information.
Syntax show slb geo-location

[
virtual-server-name |
port-num |
bad-only |
depth num |
id group-id |
ip ipaddr |
location location-name |
statistics
]
Option Description
virtual-server-name Displays geo-location information for only the specified virtual server.
port-num Displays geo-location information for only the specified virtual port.
bad-only Displays only the invalid entries.
depth num Specifies how many nodes in the geo-location data tree to display. For exam-
ple, to display only continent and country entries and hide individual state and
city entries, specify depth 2. By default, the full tree is displayed. You can spec-
ify 1-5.
id group-id Displays geo-location information for only the specified black/white-list group
ID.
ip ipaddr Displays geo-location database entries for only the specified IP address.
location location-name Displays geo-location database entries for only the specified location.
statistics Displays statistics for the specified geo-location.
Mode All
Example This example displays geo-location statistics
ACOS# show slb geo-location statistics
M = Matched or Level, ID = Group ID

Conn = Connection number, Last = Last Matched IP
v = Exact Match, x = Fail
Virtual Server: vip1/80, c-share
--------------------------------------------------------------------------------
page 417
Max Depth: 3
Success: 3
Geo-location M ID Permit Deny Conn Last
--------------------------------------------------------------------------------
US.CA.SJ v 3 1 1 1 77.1.1.107
--------------------------------------------------------------------------------
Total: 1
show slb http-proxy

Description Show statistics for SLB HTTP proxy.
Syntax show slb http-proxy [virtual-server port-num] [detail]
Option Description
detail Lists separate counters for each CPU.
virtual-server Displays counters for HTTP response codes. For the virtual-
port-num server port-num, enter the name of a virtual server and its port.
The port-num can be 1-65534.
Mode All
Example The following command shows summary HTTP-proxy statistics:
ACOS# show slb http-proxy

Total
------------------------------------------------------------------
Curr Proxy Conns 23
Total Proxy Conns 621328
HTTP requests 621324
HTTP requests(succ) 621323
HTTP requests(CONNECT) 0
HTTP requests enter SSLi 0
HTTP req (cache succ) 0
No proxy error 0
Client RST 0
Server RST 12
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
page 418

Server conn made 621324
Tot data before compress 0
Tot data after compress 0
Request over limit 0
Request rate over limit 0
Close on DDoS 0
Field Description
Curr Proxy Conns Number of currently active HTTP connections using the ACOS device as an
HTTP proxy.
Total Proxy Conns Total number of HTTP connections that have used the ACOS device as an HTTP
proxy.
HTTP requests Total number of HTTP requests received by the HTTP proxy.
HTTP requests(succ) Number of HTTP requests received by the HTTP proxy that were successfully
fulfilled (by connection to a real server).
HTTP requests(CONNECT) Number of CONNECT requests received by the HTTP proxy.
HTTP requests enter SSLi Number of HTTP requests directed to SSLi.
HTTP req (cache succ) Number of HTTP requests received by the HTTP proxy that were successfully
fulfilled from the cache.
Parse req fail Number of times parsing of an HTTP request failed.
Server selection fail Number of times selection of a real server failed.
Fwd req fail Number of forward request failures.
Fwd req data fail Number of forward request data failures.
Req retransmit Number of retransmitted requests.
Req pkt out-of-order Number of request packets received from clients out of sequence.
Server reselection Number of times a request was forwarded to another server because the current
server was failing.
Server conn made Number of connections made with servers.
Tot data before compress These counters show statistics for HTTP compression, in bytes.
Tot data after compress
Request over limit Current request number exceeds the limit defined in policy template.
page 419
Field Description
Request rate over limit Request rate exceeds the limit defined in policy template.
Close on DDoS Connection was forced to close due to a DDoS attack.
Example The following command shows HTTP response code statistics:
ACOS(config)# show slb http-proxy vs800-http 80

Total
------------------------------------------------------------------
status code 1XX 3
status code 2XX 1
status code 3XX 12
status code 4XX 8
status code 5XX 2
status code 6XX 3
...
Rsp time < 200m 0
Rsp time < 500m 1
Rsp time < 1s 3
Rsp time < 2s 7
Rsp time < 5s 13
Rsp time >= 5s 22
show slb hw-compression

Description Show statistics for hardware-based compression.
Syntax show slb hw-compression [detail]
Mode All
Usage Hardware-based compression is available using an optional hardware mod-

ule in some models. If this command does not appear on your ACOS device,
the device does not contain a compression module.
Example The following commands first enable hardware-based compression (hw-

compression command), then display statistics for the feature:

ACOS(config-common)# hw-compression
ACOS(config-common)# show slb hw-compression
Hardware compression device is installed.
page 420
Hardware compression module is enabled.

Total
------------------------------------------------------------------
total request count 177157
total submit count 177157
total response count 177157
total failure count 0
last failure code 0
compression queue full 0
max queued request count 84
max queued submit count 68
show slb icap

Description Show ICAP statistics for debugging.
Syntax show slb icap [detail]
Mode All
ACOS# show slb icap detail

DP0 DP1 DP2 DP3 DP4 DP5 Total
------------------------------------------------------------------
reqmod request 0 0 0 0 0 0 0
respmod request 0 0 0 0 0 0 0
reqmod req after 100 0 0 0 0 0 0 0
respmod req after 100 0 0 0 0 0 0 0
reqmod response 0 0 0 0 0 0 0
respmod response 0 0 0 0 0 0 0
reqmod resp after 100 0 0 0 0 0 0 0
respmod resp after 100 0 0 0 0 0 0 0
send option req 0 0 0 0 0 0 0
recv option resp 0 0 0 0 0 0 0
chunk no allow 204 0 0 0 0 0 0 0
Big CL so no allow 204 0 0 0 0 0 0 0
result continue 0 0 0 0 0 0 0
result icap response 0 0 0 0 0 0 0
result 100 continue 0 0 0 0 0 0 0
result other 0 0 0 0 0 0 0
status 2xx 0 0 0 0 0 0 0
status 200 0 0 0 0 0 0 0
status 201 0 0 0 0 0 0 0
status 202 0 0 0 0 0 0 0
page 421
status 203 0 0 0 0 0 0 0
status 204 0 0 0 0 0 0 0
status 205 0 0 0 0 0 0 0
status 206 0 0 0 0 0 0 0
status 207 0 0 0 0 0 0 0
status 1xx 0 0 0 0 0 0 0
status 100 0 0 0 0 0 0 0
status 101 0 0 0 0 0 0 0
status 102 0 0 0 0 0 0 0
status 3xx 0 0 0 0 0 0 0
status 300 0 0 0 0 0 0 0
status 301 0 0 0 0 0 0 0
status 302 0 0 0 0 0 0 0
status 303 0 0 0 0 0 0 0
status 304 0 0 0 0 0 0 0
status 305 0 0 0 0 0 0 0
status 306 0 0 0 0 0 0 0
status 307 0 0 0 0 0 0 0
status 4xx 0 0 0 0 0 0 0
status 400 0 0 0 0 0 0 0
status 401 0 0 0 0 0 0 0
status 402 0 0 0 0 0 0 0
status 403 0 0 0 0 0 0 0
status 404 0 0 0 0 0 0 0
status 405 0 0 0 0 0 0 0
status 406 0 0 0 0 0 0 0
status 407 0 0 0 0 0 0 0
status 408 0 0 0 0 0 0 0
status 409 0 0 0 0 0 0 0
status 410 0 0 0 0 0 0 0
status 411 0 0 0 0 0 0 0
status 412 0 0 0 0 0 0 0
status 413 0 0 0 0 0 0 0
status 414 0 0 0 0 0 0 0
status 415 0 0 0 0 0 0 0
status 416 0 0 0 0 0 0 0
status 417 0 0 0 0 0 0 0
status 418 0 0 0 0 0 0 0
status 419 0 0 0 0 0 0 0
status 420 0 0 0 0 0 0 0
status 422 0 0 0 0 0 0 0
status 423 0 0 0 0 0 0 0
status 424 0 0 0 0 0 0 0
status 425 0 0 0 0 0 0 0
page 422
status 426 0 0 0 0 0 0 0
status 449 0 0 0 0 0 0 0
status 450 0 0 0 0 0 0 0
status 5xx 0 0 0 0 0 0 0
status 500 0 0 0 0 0 0 0
status 501 0 0 0 0 0 0 0
status 502 0 0 0 0 0 0 0
status 503 0 0 0 0 0 0 0
status 504 0 0 0 0 0 0 0
status 505 0 0 0 0 0 0 0
status 506 0 0 0 0 0 0 0
status 507 0 0 0 0 0 0 0
status 508 0 0 0 0 0 0 0
status 509 0 0 0 0 0 0 0
status 510 0 0 0 0 0 0 0
status 6xx 0 0 0 0 0 0 0
status unknown 0 0 0 0 0 0 0
app serv conn no pcb err 0 0 0 0 0 0 0
app serv conn err 0 0 0 0 0 0 0
chunk1 hdr err 0 0 0 0 0 0 0
chunk2 hdr err 0 0 0 0 0 0 0
chunk bad trail err 0 0 0 0 0 0 0
no payload next buff err 0 0 0 0 0 0 0
no payload buff err 0 0 0 0 0 0 0
resp hdr incomplete err 0 0 0 0 0 0 0
serv sel fail err 0 0 0 0 0 0 0
start icap conn fail err 0 0 0 0 0 0 0
prep req fail err 0 0 0 0 0 0 0
icap ver err 0 0 0 0 0 0 0
icap line err 0 0 0 0 0 0 0
encap hdr incomplete err 0 0 0 0 0 0 0
no icap resp err 0 0 0 0 0 0 0
resp line read err 0 0 0 0 0 0 0
resp line parse err 0 0 0 0 0 0 0
resp hdr err 0 0 0 0 0 0 0
req hdr incomplete err 0 0 0 0 0 0 0
no status code err 0 0 0 0 0 0 0
http resp line read err 0 0 0 0 0 0 0
http resp line parse err 0 0 0 0 0 0 0
http resp hdr err 0 0 0 0 0 0 0
page 423
show slb icap-http

Description Show ICAP HTTP statistics for debugging.
Syntax show slb icap-http [detail]
Mode All
ACOS# show slb icap-http detail

DP0 DP1 DP2 DP3 DP4 DP5 DP6 DP7 DP8 DP9 DP10 DP11 DP12 DP13 DP14 DP15 Total
-----------------------------------------
status 2xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 200 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 201 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 202 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 203 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 204 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 205 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 206 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 207 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 1xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 101 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 102 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 3xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 300 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 301 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 302 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 303 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 304 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 305 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 306 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 307 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 4xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 400 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 401 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 402 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 403 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 404 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 405 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 406 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 407 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 408 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
page 424
status 409 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 410 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 411 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 412 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 413 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 414 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 415 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 416 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 417 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 418 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 419 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 422 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 423 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 424 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 425 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 426 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 449 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 450 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 5xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 501 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 502 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 503 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 504 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 505 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 506 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 507 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 508 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 509 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 510 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 6xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
show slb l4
Description Show Layer-4 SLB statistics.
Syntax show slb l4 [detail]
Mode All
Example The following command shows summary statistics for Layer 4 SLB:
page 425
ACOS# show slb l4

Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
TCP out RST L4 proxy 0
TCP out RST ACK attack 0
TCP out RST aFleX 0
TCP out RST stale sess 0
TCP out RST TCP proxy 0
TCP SYN received 226510
TCP SYN cookie snt 226510
TCP SYN cookie expd snt 0
TCP SYN cookie snt fail 0
TCP received 1042844
UDP received 0
L2 DSR received 0
L3 DSR received 0
Server sel failure 0
Source NAT no fwd route 0
Source NAT no rev route 0
Source NAT ICMP Process 0
Source NAT ICMP No Match 0
Auto NAT id mismatch 0
TCP SYN cookie failed 0
L4 SYN attack 226510
NAT no session drops 0
vport not matching drops 0
No SYN pkt drops 0
No SYN pkt drops - FIN 0
No SYN pkt drops - RST 0
No SYN pkt drops - ACK 0
Conn Limit drops 0
Conn Limit resets 0
Conn rate limit drops 0
Conn rate limit resets 0
Proxy no sock drops 0
aFleX drops 0
Session aged out 0
TCP Session aged out 0
UDP Session aged out 0
Other Session aged out 0
page 426
TCP no SLB 0
UDP no SLB 0
SYN Throttle 0
Inband HM retry 0
Inband HM reassign 0
Auto-reselect server 0
Fast aging set 0
Fast aging reset 0
TCP invalid drop 0
Out of sequence ACK drop 0
SYN stale sess drop 589824
Anomaly out of sequence 0
Anomaly zero window 0
Anomaly bad content 0
Anomaly pbslb drop 0
No resource drop 0
Reset unknown conn 0
RST L7 on failover 0
TCP SYN Other Flags Drop 0
TCP SYN With Data Drop 0
ignore msl 0
NAT Port Preserve Try 0
NAT Port Preserve Succ 0
BW-Limit Exceed drop 0
BW-Watermark drop 0
L4 CPS exceed drop 0
NAT CPS exceed drop 0
L7 CPS exceed drop 0
SSL CPS exceed drop 0
SSL TPT exceed drop 0
SSL TPT-Watermark drop 0
L3V Conn Limit Drop 0
L4 server handshake fail 0
L4 AX re-xmit SYN 0
L4 rcv ACK on SYN 0
L4 rcv RST on SYN 0
TCP no-Est Sess aged out 0
no-Est CSYN rcv aged out 0
no-Est SSYN snt aged out 0
L4 rcv rexmit SYN 589824
L4 rcv rexmit SYN (delq) 589824
L4 rcv rexmit SYN|ACK 0
L4 rcv rexmit SYN|ACK DQ 0
L4 rcv fwd last ACK 0
page 427
L4 rcv rev last ACK 0

L4 rcv fwd FIN 0
L4 rcv fwd FIN dup 0
L4 rcv fwd FIN|ACK 0
L4 rcv rev FIN 0
L4 rcv rev FIN dup 0
L4 rcv rev FIN|ACK 0
L4 rcv fwd RST 226510
L4 rcv rev RST 0
L4 UDP reqs no rsp 0
L4 UDP req rsps 0
L4 UDP req/rsp not match 0
L4 UDP req > rsps 0
L4 UDP rsps > reqs 0
L4 UDP reqs 0
L4 UDP rsps 0
L4 TCP Established 0
Skip Insert-client-ip 0
DNS query id switch 0
Field Description
IP out noroute Number of IP packets that could not be routed. These packets are dropped by the
ACOS device.
TCP out RST Number of TCP Resets sent.
TCP out RST no SYN Number of Resets sent for which there was no SYN.
TCP out RST L4 proxy Number of TCP Reset packets the ACOS device has sent as a Layer 4 proxy.
TCP out RST ACK attack Number of TCP Resets sent in response to a TCP ACK attack.
TCP out RST aFleX Number of TCP Reset packets the ACOS device has sent due to an aFleX policy.
TCP out RST stale sess This counter is incremented each time the following occurs:
• A client SYN is received
• “reset on terminated session SYN packet” is enabled in the delete queue (this is
enabled by default)
• “slb reset-stale-session” is enabled.
In such cases, an RST is sent out and the counter is incremented.

TCP out RST TCP proxy Number of TCP Reset packets the ACOS device has sent as a TCP proxy.
TCP SYN received Number of first SYN packets the ACOS device has received from the client.
TCP SYN cookie snt Number of TCP SYN cookies sent.
page 428
Field Description
TCP SYN cookie expd Number of TCP SYN cookies with expanded options that were sent.
snt
NOTE: Expanded SYN cookie options are disabled by default but can be enabled.
(See “syn-cookie” on page 367.)
TCP SYN cookie snt fail Number of TCP SYN cookie send attempts that failed because delivery to the client
failed.
TCP received Number of subsequent packets ACOS received from a client during a particular
session. Counter includes the following types of packets: SA, A, FINACK, PSHACK.
UDP received Number of UDP packets received.
L2 DSR received Number of reply packets received for Layer 2 DSR sessions.
L3 DSR received Number of reply packets received for Layer 3 DSR sessions.
Server sel failure Number of times selection of a real server failed.
Source NAT failure Number of times a source NAT failure occurred.
Source NAT no fwd Number of times there was no route to the destination for Layer 3 NAT traffic.
route
Source NAT no rev route Number of times there was no route to the source for Layer 3 NAT traffic.
Source NAT ICMP Pro- Number of times an ICMP error related to source NAT occurred.
cess
Source NAT ICMP No Number of times an ICMP error related to source NAT occurred, and there was no
Match matching session for the traffic.
Auto NAT ID mismatch Number of times a mismatch has occurred between a Smart NAT resource and a
VRRP-A VRID.
TCP SYN cookie failed Number of times a TCP SYN cookie validate failure occurred when the client never
sent an ACK packet to complete the TCP three-way handshake.
L4 SYN attack Total number of TCP SYNs received by the ACOS device that were not followed by
a valid client ACK to establish the connection.
This counter is calculated as follows:

(Total-SYNs-Received-by-Hardware +
Total-SYNs-Received-by-Software) -
Total-Number-of-Successful-Connections =
L4-SYN-Attack-Count
NAT no session drops Number of packets sent to the NAT Pool IP, but for which there was no corre-
sponding session on the device.
vport not matching Number of packets received on a virtual port that was either down, disabled, or
drops non-existent.
No SYN pkt drops The cumulative number of the following three types of packets: ACK, RST, FIN.
No SYN pkt drops - FIN Number of FIN packets received for which there was no corresponding session on
the ACOS device.
No SYN pkt drops - RST Number of RST packets received for which there was no corresponding session on
the ACOS device.
No SYN pkt drops - ACK Number of ACK packets received for which there was no corresponding session on
the ACOS device.
Conn Limit drops Number of connections dropped because the server connection limit had been
reached.
page 429
Field Description
Conn Limit resets Number of connections reset because the server connection limit had been
reached.
Conn rate limit drops Number of connections dropped by connection rate limiting.
Conn rate limit resets Number of connections reset by connection rate limiting.
Proxy no sock drops Number of packets dropped because the proxy did not have an available socket.
aFleX drops Number of packets dropped due to an aFleX policy.
Session aged out Total number of TCP (TCP Session aged out), UDP (UDP Session aged out) and
other (Other session aged out) sessions that aged out.
TCP Session aged out Number of TCP sessions that aged out, including both half-open and established
sessions.
UDP Session aged out Number of UDP sessions that have aged out.
Other Session aged out Number of sessions of other types (not TCP or UDP) that have aged out.
TCP no SLB This counter is deprecated and is no longer used.
UDP no SLB Number of non-SLB UDP packets received by the ACOS device.
SYN Throttle If the count of buffers allocated from system memory is higher than currently avail-
able free system buffers, a flag is enabled to ‘throttle SYN’. For TCP connections,
this means that incoming packets for new TCP connections are dropped to avoid
queuing more buffers for processing.
Inband HM retry Number of times the ACOS device retried an inband health check, because a SYN-
ACK was not received for the previous SYN.
Inband HM reassign Number of times the ACOS device reassigned a client’s traffic to another server,
because the initial server exceeded the maximum number of retries allowed by the
inband health check.
Auto-reselect server Number of times the ACOS device has reperformed server selection automatically
because the initially selected server did not respond to the TCP-SYN from the
ACOS device.
NOTE: In the current release, this counter applies only to traffic on HTTP/HTTPS
virtual ports.
Fast aging set Number of times fast aging of idle connections was automatically enabled by the
ACOS device due to factors such as low availability of I/O buffers, number of ses-
sions or amount of available memory.
Fast aging reset Number of times fast aging of idle connections was disabled. This occurs after a
sufficient number of buffers become available again.
TCP invalid drop Number of TCP packets received by the ACOS device that did not conform to the
standard format for TCP packets. For example, this counter is incremented if the
ACOS device receives a packet whose total length is less than the following:
Internet-Header-Length * 4 + TCP-data-offset *4
Out of sequence ACK Number of TCP ACKs that were dropped because they were out of sequence.
drop
page 430
Field Description
SYN stale sess drop This counter is incremented each time the following occurs:
• A client SYN is received
• “reset on terminated session SYN packet” is enabled in the delete queue (this is
enabled by default)
• “slb reset-stale-session” is disabled.
In such cases, the packet is dropped and the counter is incremented.

Anomaly out of Number of packets that matched an IP anomaly out-of-sequence filter.
sequence
NOTE: To configure IP anomaly filters, see the ip anomaly-drop command in the
“Config Commands: IP” chapter in the Network Configuration Guide.
Anomaly zero window Number of packets that matched an IP anomaly zero-window filter.
Anomaly bad content Number of packets that matched an IP anomaly bad-content filter.
Anomaly PBSLB drop Number of packets that matched an IP anomaly filter used for system-wide Policy-
Based SLB (PBSLB).
No resource drop Number of times traffic has been dropped because the ACOS device had run out of
Layer 4 session resources.
Reset unknown conn Number of times the ACOS device sent a RST in response to a non-SYN packet for
a non-existent session.
NOTE: This feature is enabled using the reset-unknown-conn option in virtual port
templates. See “slb template virtual-port” on page 97.
RST L7 on failover Number of Layer 7 sessions that were reset following VRRP-A failover.
TCP SYN Other Flags Number of TCP SYN packets that were dropped by the ACOS device because they
Drop contained a flag other than the SYN flag.
TCP SYN With Data Number of TCP SYN packets that were dropped by the ACOS device because they
Drop contained data.
Ignore MSL Number of times a SYN packet reaches the MSL limit (default is 2 seconds) during
a time-wait state and does not get dropped due to the “ignore-tcp-msl” option being
configured in the virtual-port template.
(See “slb template virtual-port” on page 97.)

NAT Port Preserve Try Number of times the client port preservation feature attempted to preserve a cli-
ent’s source port for traffic destined to a virtual port.
Note: This feature is enabled using the snat-port-preserve option in virtual port
templates. See “slb template virtual-port” on page 97.
NAT Port Preserve Succ Number of times the client port preservation feature successfully preserved a cli-
ent’s source port for traffic destined to a virtual port.
BW-Limit Exceed drop Number of times traffic was dropped because a configured bandwidth limit was
exceeded.
BW-Watermark drop Number of times traffic was dropped because a configured bandwidth watermark
was exceeded.
L4 CPS exceed drop Number of times traffic was dropped because the maximum allowed number of
Layer 4 connections per second (CPS) was exceeded.
page 431
Field Description
NAT CPS exceed drop Number of times traffic was dropped because the maximum allowed number of
NAT CPS was exceeded.
L7 CPS exceed drop Number of times traffic was dropped because the maximum allowed number of
Layer 7 CPS was exceeded.
SSL CPS exceed drop Number of times traffic was dropped because the maximum allowed number of
SSL CPS was exceeded.
SSL TPT exceed drop Number of times SSL traffic was dropped because SSL throughput exceeded the
maximum allowed by a system-resource template.
SSL TPT-Watermark Number of times SSL traffic was dropped because SSL throughput exceeded the
drop configured watermark.
L3V Conn Limit Drop Number of times Layer 3 traffic was dropped because a configured connection
limit was exceeded.
L4 server handshake fail Number of times traffic was dropped because the Layer 4 handshake with a server
failed.
L4 AX re-xmit SYN Number of times the ACOS device needed to retransmit a TCP SYN.
L4 rcv ACK on SYN Number of SYN-ACKs (ACKs in response to TCP-SYNs) received by the ACOS
device.
L4 rcv RST on SYN Number of TCP Resets (RST) the ACOS device received in response to a SYN.
TCP no-Est Sess aged Number of half-open sessions on the ACOS device. A half-open session means the
out ACOS device received a SYN packet, forwarded it to the backend server but there
was no SYN-ACK from the backend server, resulting in a half-open session on the
ACOS device. These sessions are created with a session age time of 60 seconds. If
the session is idle for more than 60 seconds, ACOS terminates the session and
removes it from the session table and increments this counter.
no-Est CSYN rcv aged Number of times the ACOS device received a SYN from a client and forwarded it to
out the server. This can create a half-open session on the ACOS device if there is no
SYN-ACK from the server for a period exceeding 60 seconds. If this happens, ACOS
kills the session and increments this counter.
no-Est SSYN snt aged Number of TCP sessions that aged out before a SYN was received from the server,
out and therefore could not be established.
L4 rcv rexmit SYN Number of times the client does not get a SYN-ACK from the server. This causes
the client to retransmit same SYN packet that it sent earlier. This counter will incre-
ment each time such a re-transmission of the SYN packet occurs.
L4 rcv rexmit SYN (delq) Number of times the client SYN packet matches an existing session currently in
the delete queue. When this occurs, both the “L4 rcv rexmit SYN” and “L4 rcv rexmit
SYN (delq)” counters are incremented.
L4 rcv rexmit SYN|ACK Total number of retransmitted SYN-ACKs received by the ACOS device.
L4 rcv rexmit SYN|ACK Number of retransmitted SYN-ACKs received by the ACOS device for sessions that
DQ had already been moved to the delete queue.
L4 rcv fwd last ACK Number of final ACKs (last ACKs of a given TCP session) received by the ACOS
device from clients.
Note: In this field and the following fields, the following terms describe the traffic
origination and direction:
• rcv fwd – Final ACKs received from the client.
• rcv rev – Final ACKs received from the server.
page 432
Field Description
L4 rcv rev last ACK Number of final ACKs (last ACKs of a given TCP session) received by the ACOS
device from servers.
L4 rcv fwd FIN Number of TCP FINs received from clients.
L4 rcv fwd FIN dup Number of times more than one FIN packet is received from the client.
An example of this would be if the server did not reply to a FIN-ACK in time, thus
causing the client to send another FIN.
L4 rcv fwd FIN|ACK Number of TCP FIN-ACKs received from clients.
L4 rcv rev FIN Number of TCP FINs received from servers.
L4 rcv rev FIN dup Number of duplicate TCP FINs received from servers.
L4 rcv rev FIN|ACK Number of TCP FIN-ACKs received from servers.
L4 rcv fwd RST Number of TCP RST packets that the ACOS device received from a client and for-
warded to the server.
L4 rcv rev RST Number of TCP RST packets that the ACOS device received from a server and for-
warded to the client.
L4 UDP reqs no rsp Number of port 53 UDP requests received to which there was no response.
L4 UDP req rsps Number of port 53 UDP requests received to which there was a response.
L4 UDP req/rsp not Number of mismatches between port 53 UDP requests and responses.
match
L4 UDP req > rsps Number of port 53 UDP requests received for which there was no corresponding
response.
L4 UDP rsps > reqs Number of port 53 UDP responses received for which there was no corresponding
request.
L4 UDP reqs Total number of port 53 UDP requests received by the ACOS device.
L4 UDP rsps Total number of port 53 UDP responses received by the ACOS device.
L4 TCP Established Number of established sessions that completed a 3-way TCP handshake.
Skip Insert-client-ip Number of times client IP insertion into TCP option failed due to lack of space.
DNS query id switch Number of requests load balanced based on DNS query ID.
show slb mssql

Description Display statistics for database load-balancing (DBLB) for a MS-SQL data-
base system.
Syntax show slb mssql [detail]
Mode All
Example The following command displays MS-SQL statistics:
page 433
ACOS(config)# show slb mssql

Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 0
Curr BE Encryption Conns 0
Total BE Encryption Conns 0
Curr FE Encryption Conns 0
Total FE Encryption Conns 0
Client FIN 0
Server FIN 0
Session err 0
DB Queries 0
DB commands reply 0
Authentication Success 0
Authentication Failure 0
The following table describes the output:
Field Description
Current Proxy Connections Number of currently active connections that use the DBLB proxy.
Total Proxy Connections Total number of connections that have used the DBLB proxy.
Current BE Encryption Connec- Number of currently active, encrypted connections on the back-end (BE),
tions between the ACOS device and server which process database queries.
Total BE Encryption Connections Total number of encrypted connections on the back-end (BE), between
the ACOS device and server which process database queries.
Current FE Encryption Connec- Number of currently active, encrypted connections on the front-end (FE),
tions between the ACOS device and a client.
Total FE Encryption Connections Total number of encrypted connections on the front-end (FE), between
the ACOS device and a client.
Client FIN Number of TCP connections that were closed on the client side.
Server FIN Number of TCP connections that were closed on the server side.
Session Error Total number of session errors that occurred while processing DBLB
requests.
DB Queries Total number of received database queries.
Note: This counter corresponds to the number of instances that the aFleX
DB_QUERY event was triggered.
DB Commands Reply Total number of received database commands.
DB_COMMAND event was triggered.
page 434
Field Description
Authentication Success Number of successful AUTH commands.
Authentication Failure Number of failed AUTH commands.
show slb mysql

Description Display statistics for database load-balancing (DBLB) for a MySQL database
system.
Syntax show slb mysql [detail]
Mode All
Example The following command displays MySQL statistics:
ACOS(config)# show slb mysql

Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 0
Curr BE Encryption Conns 0
Total BE Encryption Conns 0
Curr FE Encryption Conns 0
Total FE Encryption Conns 0
Client FIN 0
Server FIN 0
Session err 0
DB Queries 0
DB commands reply 0
Field Description
Current Proxy Connections Number of currently active connections that use the DBLB proxy.
Total Proxy Connections Total number of connections that have used the DBLB proxy.
Current BE Encryption Connec- Number of currently active, encrypted connections on the back-end (BE),
tions between the ACOS device and server which process database queries.
Total BE Encryption Connections Total number of encrypted connections on the back-end (BE), between the
ACOS device and server which process database queries.
Current FE Encryption Connec- Number of currently active, encrypted connections on the front-end (FE),
tions between the ACOS device and a client.
page 435
Field Description
Total FE Encryption Connections Total number of encrypted connections on the front-end (FE), between the
ACOS device and a client.
Client FIN Number of TCP connections that were closed on the client side.
Server FIN Number of TCP connections that were closed on the server side.
Session Error Total number of session errors that occurred while processing DBLB
requests.
DB Queries Total number of received database queries.
DB_QUERY event was triggered.
DB Commands Reply Total number of received database commands.
DB_COMMAND event was triggered.
show slb passthrough

Description Display statistics for pass-through TCP sessions. A pass-through TCP ses-
sion is one that is not terminated by the ACOS device (for example, a session
for which the ACOS device is not serving as a proxy for SLB).
Syntax show slb passthrough
Mode All
Example The following command displays TCP pass-through session statistics:
ACOS# show slb passthrough

Request packets: 10741 Response packets: 38195
Request bytes: 570272 Response bytes: 56562872
Current connections: 0 Total connections: 4
page 436
show slb performance

Description Show SLB performance statistics.
Syntax show slb performance

[interval number [detail]]
[{l4cpi | l7cpi | l7tpi | natcpi | sslcpi} [detail]]
Option Description
FWcpi Shows only Firewall connections per interval.
interval Automatically refreshes the output at the specified interval. The interval can be 1-32
number seconds. If you omit this option, the output is shown one time. If you use this option,
the output is repeatedly refreshed at the specified interval until you press ctrl+c.
detail Lists separate counters for each CPU.
l4cpi Shows only Layer 4 connections per interval.
l7cpi Shows only Layer 7 connections per interval.
l7tpi Shows only Layer 7 transactions per interval.
natcpi Shows only Network Address Translation (NAT) connections per interval.
sslcpi Shows only SSL connections per interval.
detail This option is not used in the current release.
Mode All
Example The following command shows SLB performance statistics:
ACOS# show slb performance

Refreshing SLB performance every 1 seconds. (press ^C to quit)
Note: cpi conn/interval, tpi transactions/interval
CPU Usage L4cpi L7cpi L7tpi SSLcpi Natcpi FWcpi Time

---------------------------------------------------------------------------------
8/9 0 0 0 0 0 0 11:46:10
4/4 4222 0 0 0 0 0 11:46:11
4/4 3 0 0 0 0 0 11:46:12
Field Description
Refreshing SLB perfor- Interval at which the statistics are refreshed.
mance every # seconds
CPU Usage Utilization on each data CPU.
Each number is the utilization on one data CPU. In the example shown above,
the ACOS model has three data CPUs, and the utilization on each one is 1%.
L4cpi Layer 4 connections per interval.
L7cpi Layer 7 connections per interval.
page 437
Field Description
L7tpi Layer 7 transactions per interval.
SSLcpi SSL connections per interval.
Natcpi NAT connections per interval.
FWcpi FW connections per interval.
Time System time when the statistics were collected.
show slb persist

Description Show persistence load-balancing statistics.
Syntax show slb persist [detail]
Example The following command shows summary persistence statistics:
ACOS# show slb persist

Total
------------------------------------------------------------------
URL hash persist(pri) 0
URL hash persist(sec) 0
URL hash persist fail 0
SRC IP persist ok 0
SRC IP persist fail 0
SRC IP hash persist(pri) 0
SRC IP hash persist(sec) 0
SRC IP hash persist fail 0
DST IP persist ok 0
DST IP persist fail 0
DST IP hash persist(pri) 0
DST IP hash persist(sec) 0
DST IP hash persist fail 0
SSL SID persist ok 0
SSL SID persist fail 0
Cookie persist ok 0
Cookie persist fail 0
Persist cookie not found 0
Persist cookie Pass-thru 0
Enforce higher priority 30
page 438
Field Description
URL hash persist(pri) Number of requests successfully sent to the primary server selected by URL hash-
ing. The primary server is the one that was initially selected and then re-used
based on the hash value.
URL hash persist(sec) Number of requests that were sent to another server (a secondary server) because
the primary server selected by URL hashing was unavailable.
URL hash persist fail Number of requests that could not be fulfilled using URL hashing.
SRC IP persist ok Number of requests successfully sent to the same server as previous requests
from the same client, based on source-IP persistence.
SRC IP persist fail Number of requests that could not be fulfilled by the same server as previous
requests from the same client, based on source-IP persistence.
SRC IP hash persist(pri) Number of requests successfully sent to the primary server selected by source IP
hashing. The primary server is the one that was initially selected and then re-used
based on the hash value.
SRC IP hash persist(sec) Number of requests that were sent to another server (a secondary server) because
the primary server selected by source IP hashing was unavailable.
SRC IP hash persist fail Number of requests that could not be fulfilled using source IP hashing.
DST IP persist ok Number of requests that were sent to the same resource, based on destination-IP
persistence.
DST IP persist fail Number of requests that could not be sent to the same resource, based on desti-
nation-IP persistence.
DST IP hash persist(pri) Number of requests successfully sent to the primary server selected by destina-
tion IP hashing. The primary server is the one that was initially selected and then
re-used based on the hash value.
DST IP hash persist(sec) Number of requests that were sent to another server (a secondary server) because
the primary server selected by destination IP hashing was unavailable.
DST IP hash persist fail Number of requests that could not be fulfilled using destination IP hashing.
SSL SID persist ok Number of requests successfully sent to the same server as previous requests
that had the same SSL session ID, based on SSL session-ID persistence.
SSL SID persist fail Number of requests that could not be fulfilled by the same server as previous
requests that had the same SSL session ID, based on SSL session-ID persistence.
Cookie persist ok Number of requests successfully sent to the same server as previous requests
based on a persistence cookie.
Cookie persist fail Number of requests that could not be fulfilled by the same server as previous
requests based on a persistence cookie.
Persist cookie not found Number of requests in which a persistence cookie was not found in the request
header.
Persist cookie Pass-thru Number of requests that contained a pass-through cookie.
Enforce higher priority Number of times the enforce-higher-priority option overrode server persistence
and selected another server.
page 439
show slb pop3-proxy

Description Show POP3 proxy statistics
Syntax show slb pop3-proxy [detail]
Mode All
Example Example output for this command:
ACOS-Inside# show slb pop3-proxy

Total
------------------------------------------------------------------
Total proxy conns 0
Total POP3 Request 0
no route failure 0
source nat failure 0
request line freed 0
request line freed 0
invalid start line 0
other cmd 0
line too long 0
Control chn ssl 0
Bad Sequence 0
Serv Sel Persist fail 0
Serv Sel SMPv6 fail 0
Serv Sel SMPv4 fail 0
Serv Sel ins tpl fail 0
Client EST state erro 0
Serv CTNG state erro 0
Serv RESP state erro 0
Client RQ state erro 0
page 440
show slb rate-limit-logging

Description Show log rate-limiting statistics.
Syntax show slb rate-limit-logging [detail]
Mode All
Example The following command shows log rate-limiting statistics:
ACOS# show slb rate-limit-logging

Total
------------------------------------------------------------------
Total log times 51
Total log messages 26
Local log messages 190
Remote log messages 1959
Local rate (per sec) 32
Remote rate (per sec) 453
Log message too big 0
No route 0
Buffer alloc fail 0
Buffer send fail 0
Log-session alloc 15
Log-session free 15
Log-session alloc fail 0
No repeat message 4
Field Description
Total log times Total number of times log rate limiting has been used.
Total log messages Total number of log messages generated by the ACOS device.
NOTE: The ACOS device combines repeated messages into a single message.
For this reason, the Total log times count will differ from the Total log messages
count.
Local log messages Total number of log messages in the ACOS device’s log buffer. These messages
can be displayed using the show log command.
Remote log messages Total number of log messages the ACOS device has sent to external log servers.
Local rate (per sec) Number of messages sent to the ACOS device’s log buffer during the most
recent one-second interval.
page 441
Field Description
Remote rate (per sec) Number of messages sent to external log servers during the most recent one-
second interval.
Log message too big Number of log messages dropped by the ACOS device because they were too
long.
No route Number of log messages dropped by the ACOS device because the device did
not have a route to the log server.
Buffer alloc fail Number of times the ACOS device was unable to allocate a buffer for sending a
log message to an external log server.
Buffer send fail Number of times the ACOS device was unable to send a log message that had
been placed in the buffer for sending to an external log server.
Log-session alloc Number of times the ACOS device allocated a log session for repeated log mes-
sages.
Log-session free Number of times the ACOS device freed a log session that was allocated for
repeated log messages.
Log-session alloc fail Number of times the ACOS device was unable to allocate a log session for
repeated log messages.
No repeat message Number of times there was no repeated message for a log session allocated for
repeated messages.
show slb resource-usage

Description Display the minimum and maximum numbers of SLB resources that can be
configured or used, the default maximum number allowed by the configura-
tion, and the number currently in use.
Syntax show slb resource-usage
Example Below is an example of the output for this command:
ACOS# show slb resource-usage

Resource Current Default Minimum Maximum
--------------------------------------------------------------------------
nat-pool-addr-count 10 10 10 2000
real-server-count 128 128 32 8192
real-port-count 256 256 64 16384
service-group-count 128 128 32 8192
virtual-port-count 128 128 32 8192
virtual-server-count 64 64 16 4096
http-template-count 128 128 32 4096
proxy-template-count 128 128 32 4096
conn-reuse-template-count 128 128 32 4096
fast-tcp-template-count 128 128 32 4096
fast-udp-template-count 128 128 32 4096
client-ssl-template-count 128 128 32 8192
server-ssl-template-count 128 128 32 8192
page 442
stream-template-count 128 128 32 4096

persist-cookie-template-count 128 128 32 4096
persist-srcip-template-count 128 128 32 4096
class-list-ipv6-addr-count 524288 524288 524288 1048576
gslb-site-count 500 500 500 500
gslb-device-count 1000 1000 1000 1000
gslb-service-ip-count 128 128 32 5000
gslb-service-port-count 256 256 64 10000
gslb-zone-count 5000 5000 5000 5000
gslb-service-count 10000 10000 10000 10000
gslb-policy-count 10000 10000 10000 10000
gslb-geo-location-count 5000000 5000000 5000000 5000000
gslb-ip-list-count 500 500 500 500
gslb-template-count 1000 1000 1000 1000
gslb-svc-group-count 500 500 500 500
auth-portal-html-file-size 20 20 4 120
auth-portal-image-file-size 6 6 1 80
show slb server

Description Show information about real servers.
Syntax show slb server [bindings]
or
show slb server
[server-name [port-num]
[all-partitions | partition {shared | name} | detail] |
[config]
[all-partitions | partition {shared | name}] |
[connection-reuse]
[all-partitions | partition {shared | name}] |
[auto-nat-stats]
server-name [[port-num] detail Shows information only for the specified server or port. If you omit
this option, information is shown for all real servers and ports.
The detail option shows statistics for the specified server or port.
This option also displays the name of the server or port template
bound to the server or port.
bindings Shows the bindings for real server ports.
config Shows the SLB configuration of the real servers.
connection-reuse Shows connection-reuse state information and statistics for the real
servers.
auto-nat-stats Shows statistics for Smart NAT.
page 443
all-partitions Show SLB server configuration for all partitions.
partition {shared | name} Show SLB server configuration for either the shared partition, or the
specified L3V partition name.
Mode All
Example The following command shows the output for the basic show slb server
command. The “State”
ACOS# show slb server

Total Number of Servers configured: 1
Total Number of Services configured: 1
Current = Current Connections, Total = Total Connections
Fwd-pkt = Forward packets, Rev-pkt = Reverse packets
Service Current Total Fwd-pkt Rev-pkt Peak-conn State
------------------------------------------------------------------------------------------
test-s1:80/tcp 0 0 0 0 0 Disb/Down
test-s1: Total 0 0 0 0 0 Disb/Down
Example The following command shows SLB statistics for real server “http1”. This
server is in a service group that is bound to an HTTP virtual port:
ACOS# show slb server http1

Total Number of Services configured on Server http1: 1
Service: http1:80/tcp (Status: Up)
Forward packets: 0 Reverse packets: 0
Forward bytes: 0 Reverse bytes: 0
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 0 Total requests succ: 0
Response time: 0 tick
Peak connections: 0
Health-check:
--------------------------------------------------------
Up reason: HTTP Status Code OK
Monitor name: http
Method: HTTP
Attribute: port=80
url="GET /"
Wait for HTTP response:False
L4 conn made: 938
L4 errors: 0
Health-check average RTT (us):15930
Health-check current RTT (us):15958
page 444
Health-check average TCP RTT (us):7895

Health-check current TCP RTT (us):7933
HTTP requests sent: 938
HTTP errors: 0
Received OK: 938
Received error: 0
Response timeout: 0
Example The following table describes out fields for the show slb server command.
The output from this command includes statistics for health check fields.
Keep in mind that these health check fields only appear in the output for
HTTP traffic. The counters begin when the health check is configured and
increment until the statistics are cleared or the health check is deleted.
Field Description
Total Number of Services Total number of services configured on the ACOS device (if a server name is
configured not specified) or on the specified server.
Service Real server name, service protocol port, and transport protocol (TCP or UDP),
and Status (Up/Down/Disabled)
Forward packets Number of request packets received for the service.
Reverse packets Number of response packets sent on behalf of the real server.
Forward bytes Number of request bytes received for the service.
Reverse bytes Number of response bytes sent on behalf of the real server.
Current Current number of connections to the service.
Persistent connections Number of persistent connections to the service.
Current requests Current number of requests to the service.
Total requests Total number of requests to the service.
Total connections Total number of connections to the service.
Total requests succ Total number of requests to the service successfully received.
Response time Server response time.
Peak-conn Peak connection rate.
Note: Peak connection statistics are collected only if the extended-stats option
is enabled. To enable extended-stats, see the following:
• “slb common” on page 20 (global)
• “extended-stats” on page 306 (individual server)

Health check fields (HTTP traffic only)
Up / Down reason Reason the ACOS device marked the port up or down.
Monitor name Name of the health monitor used to perform the health check.
Method Health method in the monitor used for the health check.
Attribute The destination TCP port of the health check, and the HTTP request sent to the
port.
page 445
Field Description
Wait for HTTP response Indicates whether the ACOS device is still waiting for a response to the HTTP
request.
L4 conn made Total number of Layer 4 connections made to the destination TCP port for
health checking.
L4 errors Total number of Layer 4 errors that occurred during health checking.
Health-check average RTT The average length of time it took for each health check. The time is expressed
in microseconds (us).
This counter includes the entire health-check process.

Health-check current RTT The length of time it took to perform the most recent health check.
Health-check average TCP The average length of time it took to complete the 3-way handshake with the
RTT server port.
Health-check current TCP The length of time it took to complete the 3-way handshake in the most recent
RTT health check.
HTTP requests sent Total number of HTTP requests sent to the server as part of health checks.
HTTP errors Total number of HTTP errors that occurred during health checking.
Received OK Number of times the payload of a Layer 4 health check reply was successfully
read by the ACOS device.
Received error Number of times a a read failure occurred in the a10hm module.
Response timeout Number of times a health check to the port timed out.
NOTE: The same health check fields appear in the output for the show slb
service-group group-name and similarly only apply to HTTP traffic.
Example The following command shows details for a real server:
ACOS# show slb server dang0 detail

Server name: dang0
Server IP address: 192.168.120.21
Server gateway ARP: 0000:0000:0000
State: Down
Server template: default
Health check: default
Current connection: 0
Current request: 0
Total connection: 0
Total request: 0
Total request success: 0
Total forward bytes: 0
Total forward packets: 0
Total reverse bytes: 0
Total reverse packets: 0
Peak connection: 0
page 446
Field Description
Server name Name of the server.
Server IP address IP address of the server.
Server gateway ARP Server ARP value (if directly connected) or nexthop ARP value (if connected through a
gateway).
State Current state of the service:
• Up
• Down
• Disabled
Server template Name of the real server template bound to the server.
Health check Name of the health monitor used to check the health of the real port.
Current connection Current number of connections to the port.
Current request Current number of HTTP requests being processed by the port.
Note: In this field and the Total request and Total request success fields, Layer 7
requests are counted only if Layer 7 request accounting is enabled. See “slb common”
on page 20.
Total connection Total number of connections that have been made to the port.
Total request Total number of HTTP requests processed by the port.
Total request suc- Total number of HTTP requests that were successful.
cess
Total forward bytes Number of request bytes forwarded to the port.
Total forward packets Number of request packets forwarded to the port.
Total reverse bytes Number of request bytes received from the port.
Total reverse packets Number of request packets received from the port.
Peak connection Peak connection count.
Note: Peak connection statistics are collected only if the extended-stats option is
enabled. To enable extended-stats, see the following:
Example The following command shows details for a real port on a server:
ACOS(config)# show slb server dang1 80 detail

Server name: dang1
Port: 1.1.1.1:80
State: Up
Port template: default
Health check: default
page 447
Current request: 42
Total connection: 10011
Total request: 20090
Peak connection: 24411
Field Description
Server name Name of the server.
Server IP address IP address of the server.
Server gateway ARP Server ARP value (if directly connected) or nexthop ARP value (if connected
through a gateway).
Port Real port number.
• Up
• Down
• Disabled
Port template Name of the real port template bound to the port.
Health check Name of the health monitor used to check the health of the real port.
Current connection Current number of connections to the port.
Current request Current number of HTTP requests being processed by the port.
In this field and the Total request and Total request success fields, Layer 7
requests are counted only if Layer 7 request accounting is enabled. See “slb com-
mon” on page 20.
Total connection Total number of connections that have been made to the port.
Total request Total number of HTTP requests processed by the port.
Total request success Total number of HTTP requests that were successful.
Total forward bytes Number of request bytes forwarded to the port.
Total forward packets Number of request packets forwarded to the port.
Total reverse bytes Number of request bytes received from the port.
page 448
Field Description
Total reverse packets Number of request packets received from the port.
Peak connection statistics are collected only if the extended-stats option is

Example The following command displays detailed information for a dynamic host-
name server. The configuration details are shown first, followed by details
for the dynamically created servers.
ACOS# show slb server s-test1 detail

Server name: s-test1
Hostname: s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
State: Up
Server template: temp-server
DNS query interval: 5
Minimum TTL ratio: 3
Maximum dynamic server:16
Health check: none
Current request: 0
Total request: 1919
Total forwarded byte: 546650
Total forwarded packet: 5715
Total received byte: 919730
Total received packet: 5631
Dynamic server name: DRS-10.4.2.5-s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
TTL: 4500
State: Up
Server template: test
DNS query interval: 5
Minimum TTL ratio: 15
Maximum dynamic server:1023
Health check: none
Current request: 0
page 449
Total request: 1919

Example The following command shows SLB configuration information for real serv-
ers:
ACOS# show slb server config

H-check = Health check Max conn = Max. Connection Wgt = Weight
Service Address H-check Status Max conn Wgt
------------------------------------------------------------------------------
1_yahoo_finance:80/tcp 69.147.86.163 None Enable 1000000 1
1_yahoo_finance 69.147.86.163 None Enable 1000000 1
1_cybozu:80/tcp 202.218.147.129 None Enable 1000000 1

1_cybozu 202.218.147.129 None Enable 1000000 1
win20:25/tcp 172.22.66.20 Default Enable 1000000 1

win20 172.22.66.20 ping Disable 1000000 1
win21:25/tcp 172.22.66.21 Default Enable 1000000 1

--MORE--
page 450
Field Description
Total Number of Services config- Total number of SLB services configured on the ACOS device.
ured
Service Real server name, service protocol port, and transport protocol (TCP or
UDP).
Address Real IP address of the server.
H-check Health check enabled for the service:
• None – No health check has been applied to the service.
• Default – The default health monitor for the service type was automati-
cally applied to the service by the ACOS device.
• Name of a configured health monitor (for example, “ping”) – The

named health monitor was applied to the service by an ACOS adminis-
trator.
Status Current administrative status of the service:
• Enable
• Disable
Max conn Maximum number of connections allowed to the service.
Wgt Administrative weight assigned to the service.
Example The following command shows connection-reuse state information and sta-
tistics for real servers:
ACOS# show slb server connection-reuse

Service State Persistent-Conn
----------------------------------------------------
1_yahoo_finance:80/tcp Up 0
1_cybozu:80/tcp Up 0
win20:25/tcp Down 0
win21:25/tcp Up 0
win21:110/tcp Up 0
win21:80/tcp Up 0
win21:443/tcp Down 0
linux22:25/tcp Disb 0
linux22:80/tcp Up 0
linux22:53/udp Disb 0
page 451
Field Description
Total Number of Services config- Total number of SLB services configured on the ACOS device.
ured
Service Real server name, service protocol port, and transport protocol (TCP or
UDP).
• Up
• Down
• Disabled
Persistent-Conn Number of connections sent to the server by the persistence feature.
Example The following command shows Smart NAT statistics:
ACOS(config-slb vserver-vport)# show slb server auto-nat-stats

Service HA/VR ID Nat Address Port Usage Total Used Total Freed Failed
---------------------------------------------------------------------------------------
s1:80/tcp 0 160.160.160.1 5 1513 1508 0
s1:21/tcp 0 160.160.160.1 0 0 0 0
In this example, both virtual ports are using Smart NAT. The Nat Address,
Port Usage, Total Used, Total Freed, and Failed columns show the same
information shown in show ip nat pool statistics output. (See the CLI
Reference.)
The Service column lists the server, protocol port, and Layer 4 protocol. The
HA/VR ID column lists the HA group ID or VRRP-A VRID, if applicable. In this
example, the ACOS device is deployed as a standalone device, so “0” is
shown in this column.
page 452
Field Description
Service Real server name and port number, and the Layer 4 protocol (TCP or UDP).
HA/VR ID The HA group ID or VRRP-A VRID, if applicable.
NAT Address The IP address used for the NAT mapping.
Port Usage Number of mappings currently in use by sessions.
Total Used Total number of sessions that have been NATted for the source address.
Total Freed Number of NATted sessions that have been terminated, thus freeing up a port for another ses-
sion.
Failed Number of times a mapping attempt failed. Generally, this type of error occurs if the system
does not have any resources for new mappings.
Example The following example output shows a list of server bindings:
ACOS# show slb server bindings

Total Number of Servers configured: 24
Service Port Address State
-------------------------------------------------------------------
rs1 8080 20.20.20.20
+sg-8080 All Up
+=>vip2 10.10.10.200:8080
+linux:8080 Functional Up
+=>ITA-VIP-01 192.168.19.120:8080
This example shows server bindings for server “rs1”.

The service groups are indicated by “+”. In this example, the server is a
member of the following service groups:
• sg-8080
• linux:8080
The VIP bindings are indicated by “+=>”. In this example, “rs1” has the
following bindings:
• Bound to “vip2” through service group “sg-8080”

• Bound to “ITA-VIP-01” through service group “linux:8080”
The state of each service group is shown. In this example, service group “sg-
8080” is All Up. This indicates all service ports on all real servers in the
service group are up. Service group “linux:8080” is Functionally Up. The
service is up on at least one real server in the service group, but not on all the
servers in the group.
page 453
show slb service-group

Description Show SLB service-group information.
Syntax show slb service-group [group-name] [brief] [config]

group-name Shows information only for the specified service group. If you omit this option, infor-
mation is shown for all service groups configured on the ACOS device.
brief Shows a summary view of the configured service groups and their operational status.
If you specify a service-group name, summary information is displayed for only that
group. Otherwise, summary information for all groups is displayed.
config Shows the SLB configuration of the service groups.
all-partitions Show SLB service group information in all partitions.
partition Show SLB service group information in the specified partition only.
Mode All
Example The following command shows statistics for SLB service groups:
ACOS# show slb service-group

Current = Current Connections, Total = Total Connections
Fwd-p = Forward packets, Rev-p = Reverse packets
Peak-c = Peak connections
Service Group Name
Service Current Total Fwd-p Rev-p Peak-c
------------------------------------------------------------------------------
*sg-80-1 State: Down
rs-http:80 0 0 0 0 0
*sg-80-2 State: All Up
rs-http-2:80 1 1 1 4 5
Field Description
Number of Service Groups config- Total number of SLB service groups configured on the ACOS device.
ured
Service Group Name Name of the service group.
page 454
Field Description
State Indicates the state of the service group:
• All Up – All service ports on all real servers in the service group are
up.
• Functional Up – Each service port number is up on at least one real

server in the service group.
• Down – Either all service ports are down, or some (not all) are Dis-
abled.
• Disabled – All the service ports are disabled.

Current Current number of connections to the service.
Total Number of connections to the service.
Fwd-p Number of request packets received by the ACOS device for the ser-
vice.
Rev-p Total number of server response packets sent to clients by the ACOS
device on behalf of real servers.
Peak-c Peak connection count.
Note: Peak connection statistics are collected only if the extended-

stats option is enabled. To enable extended-stats, see the following:
Example The following command shows configuration information and statistics for
SLB service group “louis”:
ACOS# show slb service-group louis

Service group name: louis State: Disb
Service selection fail drop: 2
Service selection fail reset: 1
Service peak connection: 0
Priority affinity: 10
Service: s-4-2-1:80 DOWN
Request packets: 6 Response packets: 0
Request bytes: 360 Response bytes: 0
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn: 0
Service: s-2-2-1:80 DOWN
Forward packets: 12 Reverse packets: 9
Forward bytes: 951 Reverse bytes: 396
page 455

Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn: 0
NOTE: A separate set of health check fields appears in the show slb service-
group command output for HTTP traffic.
Field Description
Service group name Name of the service group.
State Indicates the state of the service group:
• All Up – All service ports on all real servers in the service group are up.
• Functional Up – Each service port number is up on at least one real server in the
service group.
• Partially Up – Some service ports are up but others are down.
• Down – Either all the service ports are down, or some but not all of them are Dis-
abled.
• Disabled – All the service ports are disabled.

Service selection fail Number of server selection failures where the ACOS device dropped the client
drop request.
Service selection fail Number of server selection failures for which the ACOS device sent a RST to the
reset client.
Service peak connection Peak number of connections.
Priority affinity Number associated with the currently active priority level. By default, the primary
service-group members with the highest priority are active and appear in the out-
put. However, if failover occurs, then the priority of the lower-priority secondary
members appears in the output.
Service Service bound to the service group. Also indicates the state of the service.
Forward packets Total number of request packets received by the ACOS device for the service.
Reverse packets Total number of server response packets sent to clients by the ACOS device on
behalf of real servers.
Forward bytes Total number of request bytes received by the ACOS device for the service.
Reverse bytes Total number of server response bytes sent to clients by the ACOS device on
behalf of real servers.
Current connections Current number of connections to the service.
Persistent connections Number of connections established on the server due to an SLB persistence fea-
ture.
page 456
Field Description
Current requests Current number of HTTP requests being processed by the server.
In this field and the Total Requests and Total requests success fields, Layer 7
mon” on page 20.
Total requests Total number of HTTP requests processed by the server.
Total connections Total number of connections to the service.
Response time Server response time.
Total requests succ Total number of HTTP requests that were successful.
Peak conn Peak connection count.

Example The following command shows configuration information for SLB service
groups:
ACOS# show slb service-group config

member s1 80
!
member s2 80
member s1 80
!
member s3 80
!
Example The following command displays a brief, summarized display of service-

group information for all service groups:
ACOS# show slb service-group brief

Total Number of Service Groups configured: 2
slb service-group rontest tcp
Service group name: rontest
Type: tcp Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
page 457
slb service-group udptest udp

Service group name: udptest
Type: udp Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
In this example, 2 service groups are configured. Each service group

has 1 server. In each of the groups, the server is down.
show slb sip

Description Display SIP SLB statistics.
Syntax show slb sip [detail]
Mode All
Example The following command shows SIP SLB statistics:
ACOS# show slb sip

Total
------------------------------------------------------------------
SIP Session created 0
SIP Session freed 0
Curr SIP Proxy 0
Total SIP Proxy 0
Client message rcvd 0
Sent to server 0
Incomplete 0
Drop 0
Connecting server 0
Failed 0
Server message rcvd 0
Sent to client 0
Incomplete 0
Drop 0
Failed 0
Server conn created 0
Created successfully 0
page 458
Failed 0
Field Description
SIP Session created Total number of SIP sessions created.
SIP Session freed Total number of SIP connection freed.
Curr SIP Proxy Current number of SIP connections between the ACOS device and SIP servers.
Total SIP Proxy Total number of SIP connections between the ACOS device and SIP servers.
Client message rcvd Total number of SIP messages received from clients:
• Sent to server — Number of SIP messages received from client and forwarded to
server.
• Incomplete — Number of packet which contains incomplete message.
• Drop — Number of packets dropped.
• Connecting server — Client message currently in server connecting state.
• Failed — Number of SIP messages received from clients not forwarded to servers.
Server message Total number of SIP messages received from servers:
rcvd
• Sent to client — Number of SIP messages received from server and forwarded to cli-
ent.
• Incomplete — Number of packet which contains incomplete message.
• Drop — Number of SIP messages received from servers that were not forwarded to
clients.
Server conn created Total number of connections made with servers:
• Created successfully — Number of successful connections.
• Failed — number of failed connections.
show slb smpp

Description Display Short Message Peer-to-Peer (SMPP) protocol SLB statistics.
Syntax show slb smpp [detail]
Mode All
Example The following command shows SMPP SLB statistics.
ACOS(config)# show slb smpp
page 459
Total
------------------------------------------------------------------
Curr SMPP Proxy 0
Total SMPP Proxy 0
Client message rcvd 0
Sent to server 0
Incomplete 0
AX responds directly 0
Drop 0
Connecting server 0
Failed 0
Server message rcvd 0
Sent to client 0
Incomplete 0
Drop 0
Failed 0
Server conn created 0
Created successfully 0
Failed 0
Client conn selection 0
Select by request 0
Select by roundbin 0
Select by conn 0
Select failed 0
Server conn selection 0
Select by request 0
Select by roundbin 0
Select by conn 0
Select failed 0
Field Description
SMPP msg mem allocated Total amount of memory currently in use for SMPP connections.
SMPP msg mem cached Total amount of memory cached for SMPP connections.
SMPP msg mem freed Total amount of memory freed after an SMPP connection has closed.
SMPP msg payload allocated Total amount of memory allocated for the SMPP packet payload.
SMPP msg payload freed Total amount of memory freed from the SMPP packet payload.
Curr SMPP Proxy Number of currently active connections using the SMPP proxy.
Total SMPP Proxy Total number of connections that have used the SMPP proxy.
page 460
Field Description
Client message rcvd Total number of SMPP messages received from clients.
• Sent to server – Number of SMPP messages received by the client and

forwarded to the server.
• Incomplete – Number of packets which contain incomplete messages.
• AX responds directly – Number of times the ACOS device responded

directly to a client’s request.
• Drop – Number of packets dropped due to the configured SMP

resource limit.
• Connecting server – Number of times the ACOS device forwarded a cli-

ent’s request to the SMPP server.
• Failed – The following counters display the number of failed connec-

tions, listed by the cause:
• Failed to parse
• Failed to process
• Failed to SNAT
• Exceeded buff
• Failed to send
• Server conn start failed

Server message rcvd Total number of SMPP messages received from servers.
• Sent to client – Number of SMPP messages received by the server and

forwarded to the client.
• Incomplete – Number of packets which contain incomplete messages.
• Drop – Number of packets dropped due to the configured SMP

resource limit.
• Failed – Number of SMPP messages received by the server that were

not forwarded to the client. The following counters display the number
of failed connections, listed by cause:
• Failed to parse
• Failed to process
• Failed to sel client conn
• Failed to SNAT
• Exceeded buff
• Failed to send
page 461
Field Description
Server conn created • Created successfully – Number of server connections created suc-
cessfully.
• Failed – Number of failed server connection attempts, listed by cause:
• Failed to SNAT
• Failed to construct
• Failed to reserve
• Failed to start
• Server conn already exists
• Failed to insert
Message parsing failed Number of SMPP messages that the ACOS failed to parse. The following
sub-counters describe the cause:
• The packet size too small – Number of SMPP messages that were not
parsed because the message size was less than 4 bytes.
• Invalid sequence number – SMPP messages are incremented by +1.

This counter indicates the total number of SMPP messages that were
not parsed because of an incorrect sequence number.
Message processing failed Number of times the ACOS could not process the SMPP message. The
following sub-counters describe the cause:
• No vport – There was no virtual port that matched the destination of

the SMPP message.
• Failed to select server – Server selection failure to forward the SMPP

request.
Client conn selection The following counters apply to SMPP client selection:
• Select by request – Number of client connections, selected by the type

of request message.
• Select by roundbin – Number of client connection selected by the

Round Robin algorithm.
• Select by conn – Number of client connections, selected by the con-

nection type.
• Select failed – Number of times the ACOS failed to select a client for
the SMPP connection.
page 462
Field Description
Server conn selection The following counters apply to SMPP server selection:
• Select by request – Number of server connections, selected by the type

of request message.
• Select by roundbin – Number of server connection selected by the

Round Robin algorithm.
• Select by conn – Number of server connections, selected by the con-

nection type.
• Select failed – Number of times the ACOS failed to select a server for
the SMPP connection.
Bind client and server Number of times the ACOS successfully forwarded the initial BIND mes-
sage from a client an SMPP server.
Unbind client and server Number of times the ACOS disconnected the client to an SMPP server.
Receive enquire_link Total number of ENQUIRE_LINK messages that the ACOS received from
the SMPP client or server.
Receive enquire_link_resp Total number of ENQUIRE_LINK_RESP messages that the ACOS received
from the SMPP client or server.
Send enquire_link Total number of ENQUIRE_LINK messages that the ACOS device has
sent.
Send enquire_link_resp Total number of ENQUIRE_LINK_RES messages that the ACOS device
has sent.
Fail to bind server Total number of times the ACOS device received a BIND message and
failed to connect the client to an SMPP server.
Single message Total number of single messages that were sent to the ACOS and did not
require a response.
Transfer msg from L4 to L7 CPU Number of SMPP messages that the ACOS transferred from a Layer 4
CPU to a Layer 7 CPU.
Fetch msg from L7 CPU Number of SMPP messages that the ACOS transferred from the Layer 7
Transfer msg from proxy to conn Number of SMPP messages that the ACOS transferred from the proxy
CPU CPU to the connection CPU.
Fetch msg from conn CPU Number of SMPP messages that the ACOS transferred from the connec-
tion CPU to the proxy CPU.
Transfer msg from L7 to L4 CPU Number of SMPP messages that the ACOS transferred from a Layer 7
Transfer msg from conn to proxy Number of SMPP messages that the ACOS transferred from the connec-
CPU tion CPU to the proxy CPU.
Alloc mem failed Number of times a connection failed because the ACOS device did not
have access to sufficient memory resources.
Unexpected error Number of unexpected errors that are not categorized by the other count-
ers.
AX holds msg Number of messages that the ACOS device has received from a client or
server and has yet to forward.
Splited packet Number of times the ACOS split TCP packets which contain multiple
SMPP messages.
page 463
Field Description
Message in pipeline Number of SMPP messages that the ACOS processed using an HTTP
pipeline.
show slb smtp

Description Shows SLB information for SMTP.
Syntax show slb smtp [detail]
Mode All
Example The following command shows summary SMTP SLB statistics:
ACOS# show slb smtp

Total
------------------------------------------------------------------
Total proxy conns 0
SMTP requests 0
SMTP requests (success) 0
No proxy error 0
Client reset 0
Server reset 0
No tuple error 0
Parse request failure 0
Forward request failure 0
Forward REQ data failure 0
Request retransmit 0
Request pkt out-of-order 0
Server connection made 0
Init server starttls 0
Real server starttls disable 0
Server starttls fail 0
page 464
Field Description
Current proxy conns Number of currently active SMTP connections using ACOS device as an SMTP
proxy.
Total proxy conns Number of SMTP connections that have used the ACOS device as an SMTP
proxy.
SMTP requests Total number of SMTP requests received by the SMTP proxy.
SMTP requests (success) Number of SMTP requests received by the ACOS device that were successfully
fulfilled (by connection to a real server).
Client reset Number of times TCP connections with clients were reset.
Server reset Number of times TCP connections with servers were reset.
Parse request failure Number of times parsing of an SMTP request failed.
Forward request failure Number of forward request failures.
Forward REQ data failure Number of forward request data failures.
Request retransmit Number of retransmitted requests.
Request pkt out-of-order Number of request packets received from clients out of sequence.
Server reselection Number of times a request was forwarded to another server because the current
server was failing.
Server connection made Number of connections made with servers.
Init server starttls Number of STARTTLS sessions initiated with the server.
Real server starttls disable Number of times the server was unable to negotiate a STARTTLS session.
Server starttls fail Number of times a server STARTTLS session failed due to a TCP error event.
Example This command shows detailed SMTP SLB statistics for each data processor
(DP):
ACOS# show slb smtp detail

DP0 DP1 DP2 Total
------------------------------------------------------------------
Current proxy conns 0 0 0 0
Total proxy conns 0 0 0 0
SMTP requests 0 0 0 0
SMTP requests (success) 0 0 0 0
No proxy error 0 0 0 0
Client reset 0 0 0 0
Server reset 0 0 0 0
No tuple error 0 0 0 0
page 465
Parse request failure 0 0 0 0

Server selection failure 0 0 0 0
Forward request failure 0 0 0 0
Forward REQ data failure 0 0 0 0
Request retransmit 0 0 0 0
Request pkt out-of-order 0 0 0 0
Server reselection 0 0 0 0
Server premature close 0 0 0 0
Server connection made 0 0 0 0
Source NAT failure 0 0 0 0
show slb spdy-proxy

Description Show statistics for SLB SPDY proxy.
Syntax show slb spdy-proxy [debug] [detail]
debug Show debug information.
Mode All
Example Sample output for this command:
ACOS# show slb spdy-proxy

Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 0
Curr HTTP Proxy Conns 0
Total HTTP Proxy Conns 0
Version 2 Streams 0
Version 3 Streams 0
Curr Streams 0
Total Streams 0
Streams(succ) 0
Server RST sent 0
Server GOAWAY sent 0
TCP sock error 0
Inflate context 0
Deflate context 0
PING sent 0
STREAM not found 0
Client FIN 0
page 466
Server FIN 0
Stream close 0
Session close 0
Stream err 0
Session err 0
Control frame rcvd 0
SYN stream 0
SYN reply 0
RST 0
Setting 0
Ping 0
Goaway 0
Headers 0
Window update 0
Data frame rcvd 0
Dt no stream found 0
Dt no stream & goaway 0
Dt no str&gw & cl ses 0
Est callback no tuple 0
Dat callback no tuple 0
Contex alloc fail 0
FIN close session 0
Serv RST close stream 0
Stream found 0
Clse St ses not found 0
Clse St str not found 0
Clsing closed stream 0
Str cl session close 0
Clsing closed session 0
Max conc stream limit 0
Stream alloc fail 0
HTTP conn alloc fail 0
Req/Header alloc fail 0
NV tot len exceed 0
NV zero name length 0
NV ivld http version 0
NV connection 0
NV keep alive 0
NV proxy-connection 0
NV transfer encoding 0
NV no must have 0
Decompress fail 0
SYN after goaway 0
Stream id < previous 0
page 467
Str already exist 0

Unidirectional SYN 0
Syn reply alr rcvd 0
Cl RST str not found 0
Win upd no str found 0
Invalid window size 0
Unknown control frame 0
Data on closed stream 0
Invalid frame size 0
Invalid version 0
Hdr after ses close 0
Compr ctx alloc fail 0
Header compress fail 0
HTTP data ses close 0
HTTP data str nt fnd 0
Clse Str not http-pr 0
Session needs reque 0
New Str aftr Ses del 0
HTTP fin str alr clsd 0
HTTP cl str alr clsd 0
HTTP err str alr clsd 0
HTTP hdr str alr clsd 0
HTTP data str alr clsd 0
show slb ssl

Description Show SSL statistics.
Syntax show slb ssl {
counters vserver vport |
error |
stats |
}
counters Shows the number of successes and failures for key exchange methods, and SSL/TLS
version. Shows the session cache count for new, hits, missed, and expired. Shows the
average handshake time and total renegotiations.
error Shows errors such as cookie mismatch, wrong signature length, unsupported cipher,
incorrect public key, no certificate returned, etc.
stats Shows statistics for SSL modules.
Mode All
Example The following command shows SSL SLB statistics:
ACOS# show slb ssl stats
page 468
SSL module: Hardware

Number of SSL modules: 5
SSL module 1
number of enabled crypto engines: 8
number of available crypto engines: 8
number of requests handled: 0
SSL module 2
SSL module 3
SSL module 4
SSL module 5
Current clientside SSL connections: 0
Total clientside SSL connections: 0
Current serverside SSL connections: 0
Total serverside SSL connections: 0
Total times of reusing SSL sessions(IDs) in client ssl 0
Total times of reusing SSL sessions(IDs) in server ssl 0
Failed SSL handshakes: 0
Failed crypto operations: 0
Dropped serverside SSL connections: 0
SSL memory usage: 0 bytes
SSL server certificate errors: 0
SSL fail CA verification 0
HW Context Memory Total Count 248550
HW Context Memory in Use 0
HW Context Memory alloc failed 0
HW ring full 0
Record too big 0
Total client ssl context malloc failures: 0
SSL Forward Proxy

Bypass Failsafe SSL sessions: 15433
Bypass SNI sessions: 0
page 469
Bypass Client Auth sessions: 1492

Failed in SSL handshakes: 2278
Failed in crypto operations: 1
Failed in TCP: 1491
Failed in Certificate verification: 7618
Failed in Certificate signing: 0
Invalid OCSP Stapling Response: 0
Revoked OCSP Response: 0
The following table describes the fields on this output.
Field Description
SSL Module “Hardware” indicates SSL processing occurs in hardware
modules. “Software” indicates SSL processing occurs in
ACOS software.
Number of SSL modules Total number of SSL processing modules on the ACOS
device.
SSL module n ID number of the SSL module to which the following statis-
tics apply.
number of enabled crypto engines Number of SSL encryption/decryption processing engines
that are enabled.
number of available crypto engines Number of SSL encryption/decryption processing engines
that are available on the device.
number of requests handled Number of SSL requests handled by the SSL processing
engine.
Current clientside SSL connections Number of currently active SSL client-side SSL sessions
(sessions between ACOS and clients).
Total clientside SSL connections Total number of SSL client-side sessions since the last time
statistics were cleared.
Current serverside SSL connections Number of currently active SSL server-side SSL sessions
(sessions between ACOS and servers).
Total serverside SSL connections Total number of SSL server-side sessions since the last time
statistics were cleared.
Total times of reusing SSL sessions(IDs) in cli- SSL session-ID reuse statistics.
ent ssl
Total times of reusing SSL sessions(IDs) in
server ssl
Failed SSL handshakes Number of SSL sessions in which the SSL security hand-
shake failed.
Failed crypto operations Number of times an encryption/decryption failure occurred
for an SSL record.
Dropped serverside SSL connections Total number of SSL server-side sessions dropped since the
last time statistics were cleared.
SSL memory usage Amount of memory in use by the SSL processing module.
SSL server certificate errors Total count of certificate errors.
page 470
Field Description
SSL fail CA verification Number of times an SSL session was terminated due to a
certificate verification failure.
HW Context Memory Total Count Total amount of hardware available for SSL context memory
allocation.
HW Context Memory in Use Total amount of hardware in use for SSL context memory
allocation.
HW Context Memory alloc failed Number of times the encryption processor was unable to
allocate memory.
HW ring full Number of times the ACOS software was unable to enqueue
an SSL record to the SSL processor for encryption/decryp-
tion. (Number of times the processor reached its perfor-
mance limit.)
Record too big Number of times the ACOS device received an SSL record
that spanned across more than 64 packets.
Total client ssl context malloc failures Number of times ACOS failed to allocate memory for client
SSL context memory.
Bypass Failsafe SSL sessions Number of bypassed SSL sessions
Bypass SNI sessions Number of bypassed SSL sessions based on SNI criteria
specified in the ACOS configuration.
Bypass Client Auth sessions Number of bypassed SSL sessions based on client authentic
criteria specified in the ACOS configuration.
Failed in SSL handshakes Number of SSL sessions in which the SSL security hand-
shake failed.
Failed in crypto operations Number of times an encryption/decryption failure occurred
for an SSL record.
Failed in TCP Number of TCP sessions that failed.
Failed in Certificate verification Number of SSL sessions in which the SSL security hand-
shake failed.
Failed in Certificate signing Number of times an SSL session was terminated due to a
certificate verification failure.
Invalid OCSP Stapling Response Number of times an SSL session was terminated due to a
certificate verification failure message in the OCSP stapling
response.
Revoked OCSP Response Number of times an SSL session was terminated due to a
certificate verification failure message in the OCSP response.
show slb ssl-cert-revoke-stats

Description Show statistics for certificate revocation check.
Syntax show slb ssl-cert-revoke-stats
Example ACOS# show slb ssl-cert-revoke-stats

OCSP stapling response good: 0
Certificate chain status good: 0
Certificate chain status revoked: 0
Certificate chain status unknown: 0
page 471
OCSP requests: 0
OCSP responses: 0
OCSP connection errors: 0
OCSP URI not found: 0
OCSP URI https: 0
OCSP URI unsupported: 0
OCSP response status good: 0
OCSP response status revoked: 0
OCSP response status unknown: 0
OCSP cache status good: 0
OCSP cache status revoked: 0
OCSP cache miss: 0
OCSP cache expired: 0
OCSP other errors: 0
CRL requests: 0
CRL responses: 0
CRL connection errors: 0
CRL URI not found: 0
CRL URI https: 0
CRL URI unsupported: 0
CRL response status good: 0
CRL response status revoked: 0
CRL response status unknown: 0
CRL cache status good: 0
CRL cache status revoked: 0
CRL other errors: 0
The following table describes the fields on this output.
Field Description
OCSP stapling response good Number of times the OCSP stapling response was good.
Certificate chain status good Number of times the certificate chain status was good.
Certificate chain status revoked Number of times the certificate chain status was revoked.
Certificate chain status unknown Number of times the certificate chain status was unknown.
OCSP requests Number of OCSP requests.
OCSP responses Number of OCSP responses.
OCSP connection errors Number of OCSP connection errors.
OCSP URI not found Number of times the OCSP URI was not found.
OCSP URI https Number of times the OCSP URI was HTTPS.
OCSP URI unsupported Number of times the OCSP URI was unsupported.
OCSP response status good Number of times the OCSP response status was good.
OCSP response status revoked Number of times the OCSP response status was revoked.
OCSP response status unknown Number of times the OCSP response status was unknown.
OCSP cache status good Number of times the OCSP cache status was good.
OCSP cache status revoked Number of times the OCSP cache status was revoked.
OCSP cache miss Number of times the OCSP cache was missed.
OCSP cache expired Number of times the OCSP cache was expired.
page 472
Field Description
OCSP other errors Number of times OCSP had other errors.
CRL requests Number of CRL requests.
CRL responses Number of CRL responses.
CRL connection errors Number of CRL connection errors.
CRL URI not found Number of times the CRL URI was not found.
CRL URI https Number of times the CRL URI was HTTPS.
CRL URI unsupported Number of times the CRL URI was unsupported.
CRL response status good Number of times the CRL response status was good.
CRL response status revoked Number of times the CRL response status was revoked.
CRL response status unknown Number of times the CRL response status was unknown.
CRL cache status good Number of times the CRL cache status was good.
CRL cache status revoked Number of times the CRL cache status was revoked.
CRL other errors Number of times CRL had other errors.
show slb ssl-counters

Description Shows the number of successes and failures for key exchange methods, and
SSL/TLS version. Shows the session cache count for new, hits, missed, and
expired. Shows the average handshake time and total renegotiations.
Syntax show slb ssl-counters [vserver [vport]]
Field Description
vserver Specifies virtual server name. 1 to 127 characters.
vport Specifies virtual port ID. Integer from 0 to 65534. No default
value.
Example In this example, the TPS device is configured with two virtual servers, vip1
and vip2, each of which is bound to two virtual ports each, 443 and 444.
The statistics of vip1, port 443
ACOS# sh slb ssl-counters vip1 443

Virtual Server Name: vip1 Port: 443
--------------------------------------------------------------------------------
Cumulative sessions = 4
ID Name Successes Failures

0x0300002f TLS1_RSA_AES_128_SHA 1 0
0x0300003d TLS1_RSA_AES_256_SHA256 3 0
page 473
Key Exchange Methods Successes Failures

RSA
1024 bits 4 0
ECDHE
DHE
SSL/TLS Version Successes Failures

TLS1.1 1 0
TLS1.2 3 0
Session Cache Count

New 4
Hit 0
Miss 0
Expired 0
Handshake Average time = 7 ms
Renegotiation Counters
Total renegotiations = 0
Renegotiated SSL/TLS Versions Successes Failures

(none used)
The statistics of vip1, port 444
ACOS# sh slb ssl-counters vip1 444

Virtual Server Name: vip1 Port: 444
--------------------------------------------------------------------------------
Cumulative sessions = 3
ID Name Successes Failures

0x0300000a SSL3_RSA_DES_192_CBC3_SHA 1 0
0x0300009d TLS1_RSA_AES_256_GCM_SHA384 2 0
Key Exchange Methods Successes Failures

RSA
2048 bits 3 0
ECDHE
DHE
SSL/TLS Version Successes Failures

SSLv3 1 0
page 474
TLS1.2 2 0
Session Cache Count

New 3
Hit 0
Miss 0
Expired 0
Handshake Average time = 10 ms
Renegotiation Counters
Total renegotiations = 0
Renegotiated SSL/TLS Versions Successes Failures

(none used)
show slb ssl-crl

Description Show the retrieved Certificate Revocation List for a specific virtual port. If the
certificate issuers have listed expiration dates for the certificates, then this
command will show you the issuer and the expired or not expired status.
Syntax show slb ssl-crl vserver vport
Example ACOS# show slb ssl-crl vip1 443
Virtual server(vipw : 443):
----Retrieved CRL----
Issuer: /C=FR/O=Certplus/CN=Class 2 Primary CA
Status: Not expired
Issuer: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign

Status: Expired
Issuer: /CN=ComSign Secured CA/O=ComSign/C=IL

Status: Expired
Issuer: /C=US/O=Network Solutions L.L.C./CN=Network Solutions Cer-

tificate Authority
Status: Expired
Issuer: /C=US/O=SecureTrust Corporation/CN=Secure Global CA

Status: Expired
page 475
Issuer: /C=US/O=SecureTrust Corporation/CN=SecureTrust CA

Status: Expired
Issuer: /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig

Status: Expired
Issuer: /C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.cham-

bersign.org/CN=Chambers of Commerce Root
Status: Expired
Issuer: /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
Status: Expired
Issuer: /C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.cham-

bersign.org/CN=Global Chambersign Root
Status: Expired
Issuer: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/

CN=StartCom Certification Authority
Status: Expired
Issuer: /C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/

CN=TC TrustCenter Class 2 CA II
Status: Not expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/

CN=AAA Certificate Services
Status: Expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/

CN=Secure Certificate Services
Status: Expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/

CN=COMODO Certification Authority
Status: Expired
Issuer: /C=HU/L=Budapest/O=Microsec Ltd./OU=e-Szigno CA/CN=Microsec

e-Szigno Root CA
Status: Expired
Issuer: /CN=Autoridad de Certificacion Raiz del Estado Venezolano/

C=VE/L=Caracas/ST=Distrito Capital/O=Sistema Nacional de Certifica-
cion Electronica/OU=Superintendencia de Servicios de Certificacion
Electronica/[email protected]
Status: Not expired
page 476
----End of CRL----
17 CRL retrieved
show slb ssl-expire-check

Description Display information about email notification of expired certificates.
Syntax show slb ssl-expire-check
Mode All
show slb ssl-forward-proxy-cert

Description Display hash entries for server certificates forged by ACOS device for SSLi.
Also, display status of the forward-proxy-cert process. The state field dis-
plays whether the server certificate is being verified, whether a CA certificate
is in the process of being forged, whether the ACOS software is ready to
forge a new CA certificate, or whether ACOS software is in the ready state.
Syntax show slb ssl-forward-proxy-cert name num {ipaddr | all} [sni]
name Wildcard VIP name.
num Virtual port number to which clients send requests (for example, 443).
ipaddr | all Displays entries for the certificate associated with a specific server IP address or for all
server IP addresses. The default is all.
sni The full or partial SNI of the server from which the inside ACOS device imported the
self-signed certificate and private key.
• If you enter the IP address of the server, sni must be an exactly the same as in the
certificate cache. You must enter the full SNI that is exactly the same as in the certif-
icate cache. sni, The hashing activity for only that specific certificate is reported.
• If you enter the keyword all, sni can be a partial match to the full server name. If a
group of servers meets this partial match, all servers in this group are reported.
Usage The following field values appear in the output of this command :]
Field Description
Real Server • This field specifies the gateway IP address and protocol port of the server that clients
are trying to connect to.
Server Name • This field specifies the URL or SNI of the server that clients are trying to connect to.
page 477
Field Description
state • state: cert verifying
The certificate of the server specified by the Real Server and Server Name fields is in
the process of being verified.
• state: cert forging
The ACOS device is forging the certificate it will use for SSL sessions with clients try-
ing to reach the specified server.
• state: ready to forge
The ACOS has verified the specified server’s certificate is not revoked, and it is ready
to forge certificates it will use for SSL sessions with clients trying to reach the speci-
fied server.
• state: ready
The forge certificate is in the ACOS cache.
hit times The number of occurrences that a new session matches this certificate.
idle time The amount of time since the previous hit.
timeout after The certificate will be removed after this amount of idle time without any hits.
expires after The certificate is removed after this amount of time has passed since the certificate
was created.
Default None
Mode All
Example The following example displays the status of the SSL forward proxy certifi-
cates.
ACOS# show slb ssl-forward-proxy-cert VIP1 443 all

Virtual server(VIP1 : 443):
----Start One Certificate---

Real Server : 52.8.106.9 :443 tcp
Server name: bnc.lt
state: cert verifying
----End One Certificate---

Real Server : 209.170.210.156 :443 tcp
Server name: stats.ebizautos.com
state: cert forging
page 478

Real Server : 54.215.175.93 :443 tcp
Server name: api.branch.io
state: ready to forge cert

Real Server : 216.58.192.46 :443 tcp
Server name: maps.google.com
state: ready
hit times : 6
idle time : 0 seconds
timeout after 3600 seconds
expires after 603641 seconds
Example In the following example, the virtual server name is vsn1. Its protocol port is
443. The IP address of the real server is 15.15.15.18. And, EnterpriseABC-
server is the SNI of the real server the ACOS device proxies for.
ACOS# show slb ssl-forward-proxy-cert vsn1 443 ipaddr 15.15.15.18 EnterpriseABC-

server
Virtual server port vip: 443

Real Server : 15.15.15.18 :443 tcp
Servername: EnterpriseABC-server
hash index : 1000
hit times : 1
idle time : 15 seconds
expires after 604775 seconds
version : 3:
subject: /CN=ubuntu
common Name: ubuntu
division:
locality:
state or province:
country Name:
subject Alt Name::
email:
start time: Jun 5 18:01:25 2014 GMT
expire time: Jun 2 18:01:25 2024 GMT
issuer: /C=US/ST=CA/L=San Jose/O=ATR STED/OU=dev/CN=www.atrsted.com/emailAd-
[email protected]
page 479
Total number of particular certificates that are printed is 1
show slb ssl-forward-proxy-stats

Description Show SSLi statistics.
Syntax show slb ssl-forward-proxy-stats
Default None
Mode All
Example The following example shows the counter fields provided by the show slb
ssl-forward-proxy-stats command.
ACOS(config)# show slb ssl-forward-proxy-stats

Bypass Failsafe SSL sessions: 0
Bypass SNI sessions: 0
Bypass Client Auth sessions 0
Failed in SSL handshakes 0
Failed in crypto operations 0
Failed in TCP 0
Failed in Certificate verification 0
Invalid OCSP Stapling Response 0
Revoked OCSP Response 0
Unsupported SSL version 0
Certificates created 0
Certificates expired 0
Certificate cache hits 0
Certificate cache miss 0
Connections bypassed 0
Connections inspected 0
show slb ssl-ocsp cache

Description Displays summarized contents of the SSL OCSP cache.
Syntax show slb ssl-ocsp cache
Default None
Mode All
page 480
Usage The following table describes the fields in the command output:
Field Description
Total The total number of cached requests is listed.
Common Name The common certificate name is listed.
Status Good, revoked or unknown will appear to indicate certificate status.
Example The following example displays the contents of the SSL OSCP cache:
ACOS# show slb ssl-ocsp cache

Total: 2
Common Name Status
-------------------------------------------------------------------
Company1 Internet Authority G2 Good
Company2 Root Certificate Authority - G2 Good
show slb ssl-ocsp cache detail

Description Displays detailed contents of the SSL OCSP cache.
Syntax show slb ssl-ocsp cache detail
Default None
Mode All
Usage The following table describes the fields in the command output:
Field Description
Total The total number of certificates in the ACOS cache
Name Certificate name
Subject Certificate subject name
Length: Length of the certificate in bytes
URI: URI of the certificate owner
Expire: Time in seconds remaining before the certificate expires
Hits: Number of times certificate was called from the cache by SSL proxy handshake with a
client.
Example Use command to display information on SSL OCSP cache, including the
name of the company, status, subject, length, URI, expiration, and number of
hits.
ACOS# show slb ssl-ocsp cache detail

Total: 1
page 481
-------------------------------------------------------------------
Name: Company1 Internet Authority G2
Status: Good
Subject: /C=US/O=Company1 Inc/CN=Company1 Internet Authority G2
Length: 1012
URI: http://a.example.com/
Expire: 17731488
Hits: 760
show slb switch

Description Show SLB switching statistics.
Syntax show slb switch [detail | ethernet port-num [detail]]
detail Shows statistics per individual CPU in the output.
ethernet port-num Shows statistics only for the specified Ethernet port.
Mode All
Example The following command shows summary SLB switching statistics:
ACOS# show slb switch

Total
------------------------------------------------------------------
L2 Forward 2793
L3 IP Forward 0
IPv4 No Route Drop 0
L3 IPv6 Forward 0
IPv6 No Route Drop 0
L4 Process 709223
Incorrect Len Drop 0
Prot Down Drop 289
Unknown Prot Drop 32136
TTL Exceeded Drop 0
Link Down Drop 0
SRC Port Suppresion 0
VLAN Flood 141022
IP Fragment Rcvd 0
ARP REQ Rcvd 80272
ARP RESP Rcvd 15939
Forward Kernel 91163
IP(TCP) Fragment Rcvd 0
IP Fragment Overlap 0
page 482
IP Frag Overload Drops 0

IP Fragment Reasm OKs 23
IP Fragment Reasm Fails 0
IP Fragment Timeout 0
Anomaly Land Attack Drop 0
Anomaly IP OPT Drops 0
Anomaly PingDeath Drop 0
Anomaly All Frag Drop 0
Anomaly TCP noFlag Drop 0
Anomaly SYN Frag Drop 0
Anomaly TCP SYNFIN Drop 0
Anomaly Any Drops 0
BPDUs Received 0
BPDUs Sent 0
ACL Denys 0
SYN rate exceeded Drop 0
Packet Error Drops 0
IPv6 Frag UDP 0
IPv6 Frag TCP 0
IPv6 Frag ICMP 0
IPv6 Frag OSPF 0
IPv6 Frag ESP 0
IPv6 Frag Reasm OKs 0
IPv6 Frag Reasm Fails 0
IPv6 Frag Invalid Pkts 0
Bad Pkt Drop 0
IP Frag Exceed Drop 0
IPv4 No L3 VLAN FWD Drop 0
IPv6 No L3 VLAN FWD Drop 0
L2 Default Vlan FWD Drop 507865
BW Limit Drop 0
License Expire Drop 0
L4 Misc Er 0
Management Service Drop 0
Jumbo Frag Drop 0
IPv6 Jumbo Frag Drop 0
Field Description
L2 Forward When the ACOS device is acting as a Layer-2 switch and receives a packet
that has the destination MAC address in its MAC table, ACOS sends the
packet to the outgoing interface (as per the MAC table entry) and increments
this counter.
L3 IP Forward Number of packets that have been Layer 3 routed.
page 483
Field Description
IPv4 No Route Drop Number of IPv4 packets that were dropped due to routing failures.
L3 IPv6 Forward Number of IPv6 packets that have been Layer 3 routed.
IPv6 No Route Drop Number of IPv6 packets that were dropped due to routing failures.
L4 Process Number of packets that went to a VIP or NAT for processing.
Incorrect Len Drop Number of packets dropped due to incorrect protocol length.
Note: A high value for this counter can indicate a packet length attack.
Prot Down Drop • Number of IPv6 packets received on an interface for which there was no
IPv6 address configured.
• Number of IPv4 packets received on an interface for which there was no

IPv4 address configured.
Unknown Prot Drop Number of times ACOS dropped a packet because the packet was not one of
the following: IPv4, IPv6, or ARP
TTL Exceeded Drop Number of packets dropped due to TTL expiration.
Link Down Drop Number of packets dropped because the outgoing link was down.
SRC Port Number of packets dropped because the source and destination interface
Suppression within the same VLAN is same.
VLAN Flood Number of times ACOS received a packet that did not have the destination
MAC address in the MAC table, causing ACOS to flood the packet out all other
interfaces on the VLAN.
IP Fragment Rcvd Number of IPv4 fragments that have been received.
ARP REQ Rcvd Number of ARP requests the ACOS device received.
ARP RESP Rcvd Number of ARP responses the ACOS device received in response to an ARP
request sent by itself.
Forward Kernel When the ACOS device receives a health monitor packet (for example, LACP
or ARP packets), ACOS forwards these packets to the kernel for processing
and increments this counter.
IP(TCP) Fragment Rcvd Number of IP TCP fragments received.
IP Fragment Overlap Number of overlapping fragments received.
IP Frag Overload Drops Number of fragments dropped due to overload.
IP Fragment Reasm OKs Number of successfully reassembled IP fragments.
IP Fragment Timeout Number of times ACOS device does not receive subsequent fragments for
fragmentation reassembly.
IP Fragment Reasm Fails Number of IP fragment reassembly failures.
Anomaly Land Attack Drop Number of SYN packets dropped because they were spoofed (used the desti-
nation IP address as the source IP address).
Anomaly IP OPT Drops Number of packets dropped because they had IP options set.
Anomaly PingDeath Drop Number of oversized (longer than 32 K) ICMP packets dropped.
An oversized ICMP packet can trigger Denial of Service (DoS), crashing, freez-
ing, or rebooting.
Anomaly All Frag Drop Number of IP fragments dropped.
page 484
Field Description
Anomaly TCP noFlag Drop Number of TCP packets dropped because they had no flags set.
TCP packets are normally sent with at least one bit in the flags field set.
Anomaly SYN Frag Drop Number TCP SYN fragments dropped that had the fragmentation bit set.
A SYN fragment attack floods the target host with SYN packet fragments. An
unprotected host will store the fragments, in order to reassemble them. By not
completing the connection, and flooding the server or host with such frag-
mented SYN packets, the attacker can cause the host’s memory buffer to fill
up eventually.
Anomaly TCP SYNFIN Drop Number of TCP packets dropped that had TCP SYN and FIN bits set.
An attacker can send a packet with both bits set to determine what kind of
system reply is returned, and then use the system information for further
attacks using known system vulnerabilities. Also, some older devices will let
such packets through even though there is an established ACL defined and
the state of the TCP connection is not considered to be established.
Anomaly Any Drops Total number of packets dropped by IP anomaly filtering.
BPDUs Received Number of Bridge Protocol Data Units (BPDUs) received.
BPDUs Sent Number of Bridge Protocol Data Units (BPDUs) sent.
ACL Denys Number of times traffic was not forwarded due to a deny rule in an Access
Control List (ACL).
This counter also includes traffic dropped due to the l3-vlan-fwd-disable

action in ACL rules.
SYN rate exceeded Drop Number of packets dropped because the TCP SYN threshold had been
exceeded.
Packet Error Drops Number of times the ACOS device dropped a packet due to a TCP/UDP check-
sum error.
IPv6 Frag UDP Number of IPv6 UDP fragments received by the ACOS device.
IPv6 Frag TCP Number of IPv6 TCP fragments received by the ACOS device.
IPv6 Frag ICMP Number of IPv6 ICMP fragments received by the ACOS device.
IPv6 Frag OSPF Number of IPv6 OSPF fragments received by the ACOS device.
IPv6 Frag ESP Number of IPv6 ESP fragments received by the ACOS device.
IPv6 Frag Reasm OKs Number of successfully reassembled IPv6 fragments.
IPv6 Frag Reasm Fails Number of IPv6 fragment reassembly failures.
IPv6 Frag Invalid Pkts Number of IPv6 fragments that were invalid.
Bad Pkt Drop Number of bad packets dropped; this is a cumulative number for all packets
that could not be processed (for example, packet has an incorrect length).
IP Frag Exceed Drop Number of fragmented IP packets that were dropped because they exceeded
the allowed maximum.
IPv4 No L3 VLAN FWD Drop Number of IP packets that were dropped by the l3-vlan-fwd-disable action in
an IPv4 ACL.
IPv6 No L3 VLAN FWD Drop Number of IP packets that were dropped by the l3-vlan-fwd-disable action in
an IPv6 ACL.
page 485
Field Description
L2 Default VLAN FWD Drop Number of times The DLF packets were dropped because the ACOS is config-
ured to disallow flooding on the default VLAN (VLAN1).
BW Limit Drop Number of packets dropped because they exceeded the bandwidth limit.
NOTE: This field does not apply to hardware models.

License Expire Drop Number of packets dropped due to an invalid license.
NOTE: This field does not apply to hardware models.

L4 Misc Er Number of Layer 4 packets dropped due to miscellaneous errors.
Management Service Drop Number of times management traffic was drop because the specific service
type was not enabled.
Jumbo Frag Drop Number of dropped fragmented IPv4 jumbo packets.
IPv6 Jumbo Frag Drop Number of dropped fragmented IPv6 jumbo packets.
Example The following command shows detailed SLB switching statistics for Ether-
net port 1:
ACOS# show slb switch ethernet 1 detail

DP0 DP1 DP2 Total
------------------------------------------------------------------
L2 Forward 2115 227 453 2795
L3 IP Forward 0 0 0 0
IPv4 No Route Drop 0 0 0 0
...
show slb syn-cookie

Description Show SLB hardware SYN-cookie statistics
Syntax show slb syn-cookie
Mode All
show slb syn-cookie-buffer

Description Show SYN-cookie buffer statistics.
Syntax show slb syn-cookie-buffer
Mode All
Example The following command shows SYN-cookie buffer information:
ACOS# show slb syn-cookie-buffer

Maximum SYN cookie buffer size : 10
Total SYN cookie buffer queued : 0
page 486
Total SYN cookie buffer drop : 0
show slb tcp stack

Description Show statistics for TCP SLB.
Syntax show slb tcp stack [detail]
Mode All
Example The following command shows summary TCP stack statistics:
ACOS# show slb tcp stack

Total
------------------------------------------------------------------
Currently EST conns 29
Active open conns 6968
Passive open conns 7938
Connect attemp failures 0
Total in TCP packets 678804
Total out TCP packets 712974
Retransmited packets 359
Resets rcvd on EST conn 5369
Reset Sent 4303
Field Description
Currently EST conns Current number of established TCP connections being
handled by the proxy.
Active open conns Number of active connections open.
Passive open conns Number of passive connections open.
Connect attemp fail- Number of TCP connection attempts that failed.
ures
Total in TCP packets Total number of TCP packets received by the TCP
proxy.
Total out TCP packets Total number of TCP packets sent by the TCP proxy.
Retransmitted packets Number of TCP packets retransmitted by the TCP
proxy.
Resets rcvd on EST Number of TCP Resets received for established con-
conn nections.
page 487
Field Description
Reset Sent Number of TCP Resets sent by the ACOS device.
TCPIP out noroute Number of times request failed to send due to route
failure.
show slb template

Description Show configuration information for SLB templates. The template configura-
tion commands in the running-config are displayed.
Syntax show slb template

[template-type
[certificate-status]
[default]
[template-name]
]
[all-partitions]
[partition {shared | name}]
template-type The type of SLB template configure.
Enter show slb template ? to view a list of supported template types.

certificate-status Show the status of the virtual server’s certificate (OCSP-Stapling)
default Show the configuration of the default template.
template-name Show the configuration of the specified template.
all-partitions Show SLB template configuration in all partitions.
partition Show SLB template configuration in the specified partition only.
Mode All
Example The following command shows the template configuration commands in the
running-config on an ACOS device:
ACOS# show slb template

slb template udp udp-aging
aging immediate
slb template http X-Forwarded-For
insert-client-ip "X-Forwarded-For"
compression minimum-content-length 120
slb template http clientip-insert
insert-client-ip "x-Forwarded-For"
slb template http cookie-delete
header-erase "Cookie"
slb template http hostdelete
header-erase "Host"
slb template http hostinsert
page 488
header-insert "Host: www.example.com"

slb template http http100
header-insert "Expect: 100-continue"
slb template http httpinsert
header-erase "Host"
header-insert "Host: www.example.com"
slb template tcp-proxy tcp-timeout
idle-timeout 180
slb template connection-reuse creuse
timeout 60
--MORE--
show slb template policy forward-policy-stats

Description Displays statistics for the configured forward policies
Mode all modes
Usage Statistics for the following fields are displayed::
Field Description
slb template policy name The name of the policy template the forward-policy is bound to.
Source NAT failure The count of source NAT failures.
Unresolved DNS The count of DNS requests for the IP address of the downstream server that could
requests not be resolved.
Outstanding DNS The current number of queued DNS requests.
requests
Hits The count of the matches to the source IP address specified in the forward-policy.
Requests forward to Number hits that have been forwarded to the Internet URL requested by the cli-
Internet ents.
Requests forward to Ser- The count of hits that have been forwarded to service-group specified in the for-
vice Group ward-policy.
Requests forward to Number of hits forwarded to another HTTP proxy server in the forward-policy.
Proxy
Requests dropped The count of client connection requests dropped.
Source Match not found Number of client connection requests where the source IP address could not be
found.
Expected Client HELLO The count of client connection requests in which the HELLO message was absent
requests not found or could not be parsed.
Example The policy template defines what actions are applied to upstream traffic by
the client-facing virtual server on the ACOS device. A configuration of this
policy template follows:
slb template policy Explicit_Proxy
page 489
forward-policy
action Permit_to_Internet
forward-to-internet FW1_Inspect_SG snat Internet_Pool log
source Any_Source
match-any
destination any action Permit_to_Internet
Example The statistics for the policy template Explicit_Proxy follow:
ACOS# show slb template policy forward-policy-stats
slb template policy name: Explicit_Proxy

Source NAT failure: 0
Unresolved DNS requests: 0
Outstanding DNS requests: 0
Hits: 0
Requests forward to Internet: 0
Requests forward to Service Group: 0
Requests forward to Proxy: 0
Requests dropped: 0
Source Match not found: 0
Expected Client HELLO requests not found: 0
show slb virtual-server

Description Show information for SLB virtual servers.
Syntax show slb virtual-server [

virtual-server-name
[vport-num
{
port-type [service-group-name] |
detail |
host-hits-counter {host-name | all} |
url-hits-counter {url-string | all}
}
]
[bind]
[config]
[all-partitions]
[partition {shared | name}]
page 490
Option Description
virtual-server-name Shows information only for the specified virtual server.
• The vport-num port-type option shows information only for the specified vir-
tual port on the virtual server.
• The service-group-name option further restricts the output, to show informa-

tion only for the specified service group.
• The detail option displays connection and packet statistics. Specifying

detail also shows the connection rate per virtual port for each virtual server.
For more information, see the examples below.
• The host-hits-counter option displays rule-matching statistics for host

switching. Each time traffic matches a host-matching rule in an HTTP tem-
plate, the applicable “hits” counter is incremented.
• The url-hits-counter option displays rule-matching statistics for URL

switching. Each time traffic matches a URL-switching rule in an HTTP tem-
plate, the applicable “hits” counter is incremented.
all-partitions Show information for all partitions.
bind Includes the service groups and real servers and ports bound to the virtual ports.
config Displays virtual-server configuration information.
You can optionally specify the specific partition for which you want to view this
configuration.
partition Show information for a specific partition.
Mode All
Usage To display virtual-server information for a specific partition, use the parti-
tion option; use partition shared for the shared partition, or partition
name, where name is a specific L3V partition.
Example The following command shows summary information for all virtual servers:
ACOS# show slb virtual-server

Total Number of Virtual Services configured: 2
Virtual Server Name IP Current Total Request Response Peak
Service-Group Service connection connection packets packets connection
------------------------------------------------------------------------------------------
-
*v-server(A) 3.1.1.99
port 80 http 0 3 14 10 611
abctcp 80/http 0 2 14 10 2112
Total received conn attempts on this port: 3
port 53 udp 0 0 0 0 411
abcudp 53/udp 0 0 0 0 696969
Total received conn attempts on this port: 0
page 491
...
Field Description
Total Number of Virtual Services config- Total number of virtual services (virtual server ports) configured on
ured the ACOS device.
Virtual Server Name Name of the virtual server.
Underneath the virtual server name, each of the virtual ports on the
server is listed, followed by the service groups in which the virtual
server and the virtual port are members.
In the example above, virtual server “v-server” has two virtual ports,
HTTP port 80 and UDP port 53. HTTP port 80 is a member of ser-
vice group “abctcp”, and UDP port 53 is a member of service group
“abcudp”.
For each VIP, its VRRP-A state on the ACOS device is shown by
one of the following:
• (A) – VIP is in active state on this ACOS device.
• (S) – VIP is in standby state on this ACOS device.
The primary servers are listed under the virtual port. If alternates
are configured for a primary server, the alternates are listed under
the primary server. If an asterisk is shown at the end of an alter-
nate server name, the primary server is down and the alternate
server is active instead.
IP Virtual IP address of the virtual server.
Current connection Current number of connections to the virtual service port.
NOTE: Connection and packet counters are listed separately for

virtual ports and for service groups.
Total connection Total number of connections to the virtual service port.
Request packets Number of request packets received for the virtual service.
Response packets Number of server reply packets sent by the ACOS device for the vir-
tual service.
Note: Peak connection statistics are collected only if the extended-

stats option is enabled. To enable extended-stats, see the follow-
ing:
• “extended-stats” on page 342 (individual virtual server)
• “extended-stats” on page 357 (individual virtual service port)

Total received conn attempts on this Total number of connection requests received for this port.
port
page 492
Field Description
Service-Group Service group bound to the virtual service.
Service Virtual service port number and service type.
Example This command shows status information for SLB virtual server “v-server”:
ACOS(config)# show slb virtual-server v-server

Virtual server: v-server State: All Up IP: 3.1.1.99
Port Curr-conn Total-conn Rev-Pkt Fwd-Pkt Peak-conn
-------------------------------------------------------------------------------------
Virtual Port:80 / service:abctcp / state:All Up

port 80 http 0 3 10 14 1011
Source NAT Pool: pootest
Virtual Port:53 / service:abcudp / state:All Up

port 53 udp 0 0 0 0 811
Source NAT Pool: pootest
Total Traffic 0 3 10 14 1822
...
page 493
Field Description
Virtual Name of the virtual server.
server
State State information is shown separately for virtual servers and for individual virtual ports.
Virtual server state:
• All Up – All virtual ports on the virtual server are Running.
• Functional Up – Some of the virtual ports are Running or Functional Running, but at least
one of them is not Running.
• Partial Up – At least one virtual port is Running or Functional Running, but at least one other
virtual port is Down.
• Down – All the virtual ports are Down.
• Disb – The virtual server has been administratively disabled.
Virtual port state:
• All Up – All members (real servers and ports) in all service groups bound to the virtual port
are up.
• Functional Up – At least one member in a service group bound to the virtual port is up, but
not all members are up.
• Down – All members in all service groups bound to the virtual port are down.
Disb – The virtual port has been administratively disabled.

IP Virtual IP address of the virtual server.
Port Virtual port number and service type.
Curr-conn Current number of connections to the virtual service port.
Total-conn Total number of connections to the virtual service port.
Rev-Pkt Number of server reply packets sent by the ACOS device for the virtual service.
Fwd-Pkt Number of request packets received for the virtual service.
Peak-conn Peak connection count.
NOTE: Peak connection statistics are collected only if the extended-stats option is enabled. To
enable extended-stats, see the following:
Example The following command shows configuration information:
ACOS# show slb virtual-server config

page 494
Virtual server Name Address

------------------------------------------------
louis2 192.168.20.253
member0:louis 80/http
Source NAT Pool: p1 HTTP Template: clientip-insert
Reuse Template: cr Persist Cookie:cookie-persist
aFleX: bugzilla_proxy_fix
Field Description
Total Number of Virtual Services con- Total number of virtual services (virtual server ports) configured on
figured the ACOS device.
Virtual server Name Name of the virtual server.
Address Virtual IP address of the virtual server.
member Real server bound to the virtual server. The number at the end is
assigned by the ACOS device for this show command output.
Under the member name, the NAT pools and SLB templates bound
to the virtual server are listed.
Example The following command shows details for a virtual server:
ACOS# show slb virtual-server vip1 detail

Virtual server name: vip1
Virtual server IP address: 200.200.200.100
Virtual server MAC: 021f:a000:0000
Virtual server template: adi
Connection rate limit: 800000 per second
Connection rate over limit action: drop
Current request: 0
Total request: 0
Peak connections: 0
Current connection rate: 121 per second
page 495
Field Description
Virtual server name Name of the virtual server.
Virtual server IP IP address of the virtual server.
address
Virtual server MAC MAC address of the VIP.
Virtual server template Name of the virtual server template bound to the virtual server.
Current connection Current number of connections to the virtual port.
Current request Current number of HTTP requests being processed by the virtual port.
NOTE: In this field and the Total request and Total request success fields, Layer 7
mon” on page 20.
Total connection Total number of connections that have been made to the virtual port.
Total request Total number of HTTP requests processed by the virtual port.
Total forward bytes Number of request bytes forwarded to the virtual port.
Total forward packets Number of request packets forwarded to the virtual port.
Total reverse bytes Number of request bytes received from the virtual port.
Total reverse packets Number of request packets received from the virtual port.
Peak connections Peak connection count.


Current connection rate Current connection rate for the virtual port on the virtual server.
Example The following command shows details for a virtual port on a virtual server:
ACOS(config)# show slb virtual-server vip1 80 detail

Virtual port name: vip1:80:tcp
Virtual port number: 220.220.220.100:80
Virtual port template: default
Current request: 0
Total request: 0
page 496

Peak connections: 0
Response time: 1
Fastest Rsp time: 1
Slowest Rsp time: 1
Current connection rate: 268 per second
Field Description
Virtual port name Name of the virtual server, virtual port, and port type.
Virtual port number IP address of the virtual server and protocol port number of the virtual port.
Virtual port template Name of the virtual port template bound to the virtual port.
Current connection Current number of connections to the virtual port.
Current request Current number of HTTP requests being processed by the virtual port.
In this field and the Total request and Total request success fields, Layer 7 requests
are counted only if Layer 7 request accounting is enabled. See “slb common” on
page 20.
Total connection Total number of connections that have been made to the virtual port.
Total request Total number of HTTP requests processed by the virtual port.
Total forward bytes Number of request bytes forwarded to the virtual port.
Total forward packets Number of request packets forwarded to the virtual port.
Total reverse bytes Number of request bytes received from the virtual port.
Total reverse packets Number of request packets received from the virtual port.
Peak connections Peak connection count.
NOTE: Peak connection statistics are collected only if the extended-stats option
is enabled. To enable extended-stats, see the following:

Current connection rate Current connection rate for the virtual port on the virtual server.
Example The following command shows service group and port bindings:
ACOS# show slb virtual-server bind

---------------------------------------------------------------------------------
*Virtual Server : SanJose(A) 192.192.100.100 Down
page 497
+port 80 tcp ====>sg-80-1 State :Down

+rs-http:80 192.168.215.16 State : Down
*Virtual Server : Chicago(A) 192.192.200.200 All Up
+port 80 tcp ====>sg-80-2 State :All Up

+rs-http-2:80 192.168.215.13 State : Up
In this example, virtual port 80 on virtual server SanJose is bound to real port
80 on real server rs-http in service group sg-80-1. Likewise, virtual port 80 on
virtual server Chicago is bound to real port 80 on real server rs-http-2 in
service group sg-80-2.
For each VIP, its VRRP-A state on the ACOS device is shown by one of the
following:
• (A) – VIP is in active state on this ACOS device.

• (S) – VIP is in standby state on this ACOS device.
Example The following example shows the information displayed if alternate (backup)
servers are configured:
ACOS(config)# show slb virtual-server bind

---------------------------------------------------------------------------------
*Virtual Server : http-with-alternates(A) 192.168.10.10 Functional Up
+port 80 http ====>http1 State :Functional Up

+rs1:80 10.10.10.10 State : Up
Alternate: rs1-a1, rs1-a2, rs1-a3
+rs2:80 10.10.10.20 State : Down
Alternate: rs2-a1*, rs2-a2, rs2-a3
The primary servers are listed under the virtual port. Under each primary
server, that server’s alternate servers are listed.
If an asterisk is shown at the end of an alternate server name, the primary

server is down and the alternate server is active instead. In the example
above, rs2 is down, so alternate rs2-a1 is being used instead.
page 498
ACOS 4.1.1-P8 Command Line Interface Reference for ADC for A10 Thunder Series and AX Series
page 499
CONTACT US
5 a10networks.com/contact
ACOS 4.1.1-P8 COMMAND LINE INTERFACE REFERENCE FOR ADC 28 MARCH 2018

A10 4.1.1-P8 Cli-Slb PDF

Uploaded by

Copyright:

Available Formats

A10 4.1.1-P8 Cli-Slb PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 4.1.1-P8 Cli-Slb PDF

Uploaded by

Copyright:

Available Formats

ACOS 4.1.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Config Commands: Server Load Balancing ................................................................................ 19

Config Commands: SLB Templates ............................................................................................ 57

slb template smtp ........................................................................................................................ 97

Config Commands: SLB Cache Templates ................................................................................. 99

Config Commands: SLB Client SSL Templates ......................................................................... 107

Config Commands: SLB Policy Templates ............................................................................... 141

bw-list use-destination-ip .........................................................................................................147

Config Commands: SLB Real Port Templates ........................................................................... 161

Config Commands: SLB REQMOD ICAP Templates .................................................................. 175

Config Commands: SLB RESPMOD ICAP Templates ................................................................ 183

Config Commands: SLB Server Templates ............................................................................... 189

Config Commands: SLB Server SSL Templates ........................................................................ 201

SLB Server-SSL Template Configuration Mode Commands........................................... 204

Config Commands: SLB SIP Templates .................................................................................... 213

client-response-header erase ..................................................................................................228

Config Commands: SLB SMPP Templates ............................................................................... 237

Config Commands: SLB SMTP Templates ................................................................................ 241

Config Commands: SLB SSLi Templates .................................................................................. 247

Config Commands: SLB TCP Templates ................................................................................... 251

SLB TCP Template Configuration Mode Commands ...................................................... 252

Config Commands: SLB TCP Proxy Templates ......................................................................... 261

Config Commands: SLB UDP Templates .................................................................................. 277

Config Commands: SLB Virtual Port Templates ....................................................................... 283

Config Commands: SLB Virtual Server Templates .................................................................... 295

Config Commands: SLB Servers ............................................................................................... 301

Config Commands: SLB Service Groups ................................................................................... 315

Config Commands: SLB Virtual Servers ................................................................................... 339

template policy ...........................................................................................................................346

Config Commands: SLB Virtual Server Ports ............................................................................ 349

Config Commands: Health Monitors ........................................................................................ 373

Config Commands: Web Category ............................................................................................ 391

SLB Show Commands .............................................................................................................. 397

show slb smpp ........................................................................................................................... 459

Config Commands: Server Load Balancing

This chapter contains the following topics:

• Global Configuration Mode SLB Commands

• SLB Common Configuration Mode Commands

Global Configuration Mode SLB Commands

• slb ssl-cert-revoke-stats sampling-enable

• slb ssl-expire-check email-address

• slb ssl-expire-check exception

• slb ssl-forward-proxy sampling-enable

• slb svm-source-nat pool

Syntax slb common

NOTE: Commands in SLB common configuration mode are only available in

Mode Configuration mode

Syntax [no] slb resource-usage resource-type

Resource Type Description and Acceptable Values

Mode Configuration mode

The “no” form of this command removes an existing real server.

Mode Configuration mode

A new real server is created, if required, by adding a server to a service group,

The IP address of the server can be in either IPv4 or IPv6 format.

ACOS(config)# slb server rs1 10.10.10.99

ACOS(config)# slb server rs2 2020:3e8::3

Syntax [no] slb service-group group-name {tcp | udp}

Default There are no service groups configured by default.