A10 AX Training Booklet 032010

Contents
Training Labs ................................................................................................................................ 3

Lab #1 – Load Balancing Basics ............................................................................................... 3
Managing your AX ................................................................................................................. 3
Adding Servers to AX ............................................................................................................ 4
Adding Service Ports ............................................................................................................. 6
Adding A Service Group ........................................................................................................ 7
Configuring IP NAT Pools...................................................................................................... 8
Creating a Virtual Server and IP (VIP)................................................................................... 9
Lab #2 – Health Monitors ........................................................................................................ 12
Creating A Health Monitor ................................................................................................... 12
Using The Health Monitor .................................................................................................... 13
Health Monitor Failures & Service Down ............................................................................. 15
Server Versus Service Port Status ...................................................................................... 17
More HTTP Health Monitor Options .................................................................................... 17
Lab #3 – Templates................................................................................................................. 19
Creating Additional Service Groups..................................................................................... 20
Creating a HTTP Template for URL Switching .................................................................... 20
Source IP Persistence (Switching) ...................................................................................... 25
Cookie Persistence (Switching) ........................................................................................... 28
Lab #4 – SSL Acceleration...................................................................................................... 30
Importing Certificates and Keys........................................................................................... 30
Creating a Client SSL Template .......................................................................................... 30
Using the Client SSL Template............................................................................................ 31
Lab #5 – Policy Based Server Load Balancing (PBSLB) ........................................................ 33
Importing the Black/White List ............................................................................................. 34
Using a Black/White List with Policies ................................................................................. 34
More Policy Actions ............................................................................................................. 36
Lab #6 – aFlex......................................................................................................................... 37
Import the aFlex Scripts....................................................................................................... 37
Use aFlex on Virtual Service ............................................................................................... 39
aFlex Scripting – Part 2 ....................................................................................................... 42
aFlex Scripting – Part 2 ....................................................................................................... 42
Lab #7 – Compression ............................................................................................................ 45
Creating an template with compression enabled................................................................. 45
Binding the template to your virtual service port.................................................................. 47
Controlling the compression level....................................................................................... 49
Lab #8 – RAM Caching ........................................................................................................... 51
Creating a RAM cache template.......................................................................................... 51
Binding the RAM cache template to your virtual service port .............................................. 51
Changing the default behavior – Caching policies............................................................... 55
Lab #9– System Configuration Practice .................................................................................. 55
Changing boot partition during bootup................................................................................. 57
AX Debugging lab................................................................................................................ 58
Dump SSL encrypted data................................................................................................... 64
Things to do before calling tech support.............................................................................. 70
A10 Networks Confidential Information

Training Labs
Lab #1 – Load Balancing Basics
In this lab you will configure your AX to load balance traffic in one-arm mode using source NAT.
Clients, servers, and AX units are all on the same IP subnet.
Managing your AX
Your AX unit has been pre-configured with your assigned IP address. Each student has also
been assigned an IP address for their laptop client (refer to the PowerPoint presentation or ask
your instructor).
Configure your laptop client with the appropriate IP address and access the AX’s CLI using
SSH/Telnet from your laptop. Use the default login name “admin” and default password “a10” to
log in.
login as: admin

Using keyboard-interactive authentication.
Password:
Last login: Mon Feb 16 14:26:56 2009 from 192.168.18.11
[type ? for help]
AX>
A10 Networks Confidential Information 3

After successful login, enter privileged mode using the “enable” command. By default, there is
no password assigned so simply hit the “Enter” key when prompted for the password.
AX>enable
Password:
AX#
You are now ready to start configuring your AX unit. At any time, you can use the question mark
(?) in the CLI to get help text, and the Tab key for command auto-completion.
GUI Example:
Figure 1: Login Screen
Adding Servers to AX
There are two web servers on the classroom’s lab network with IP addresses 192.168.18.201
and 192.168.18.202.
In order to load balance traffic to these servers, you must first add them to the AX. To configure
the AX, you must enter config mode. Once in config mode, add the first server using the
commands show below.
AX#config
AX(config)#slb server web1 192.168.18.201
AX(config-real server)#

The above commands adds the server with IP address 192.168.18.201 as a SLB server named
“web1” on AX. Now add the second server with the name “web2”.
You can confirm that your servers have been added using the “show slb server” command.
AX(config-real server)#show slb server

Total Number of Services configured: 0
Current = Current Connections, Total = Total Connections
Req-pkt = Request packets, Resp-pkt = Response packets
Service Current Total Req-pkt Resp-pkt State
-----------------------------------------------------------------------------
---
web1: Total 0 0 0 0 Up
GUI Example:
Figure 2: Config > Service > SLB > Server > Add

Figure 3 Config > Service > SLB > Server (2 servers Added)
Adding Service Ports

Now that the servers have been added, the next step is to tell AX which service ports are
available for load balancing. The command below shows how to add TCP port 80 as a service
port.
AX(config)#slb server web1

AX(config-real server)#port 80 tcp
AX(config-real server-node port)#
Now add TCP port 80 as a service port for the server “web2” as well.
You can confirm the service ports have been added using the “show slb server” command
again.
AX(config-real server-node port)#show slb server

-----------------------------------------------------------------------------
---
web1:80/tcp 0 0 0 0 Up
web2:80/tcp 0 0 0 0 Up

GUI Example:
Figure 4: Config > Service > SLB > Server (Add the Port Details)
Adding A Service Group

Now that the servers and service ports have been added, you need to assign them to a service
group that will be used for load balancing.
Create a new TCP service group named “web_group” and add the two web servers’ service port
80 as members of the group using the commands below.
AX(config)#slb service-group web_group tcp

AX(config-slb svc group)#member web1:80
Confirm the service group configuration using the “show slb service-group” command.
AX(config-slb svc group)#show slb service-group

Total Number of Service Groups configured: 1
Req-p = Request packets, Resp-p = Response packets
Service Group Name
Service Current Total Req-p Resp-p
-----------------------------------------------------------------------
*web_group State: Up

web1:80 0 0 0 0
web2:80 0 0 0 0
GUI Example:
Figure 5: Config > Service > SLB > Server Group (Add the two servers in the Service Group)
Configuring IP NAT Pools

Source NAT is required for one-arm mode load balancing, so you will need to add an IP NAT
pool to the AX using the IP address assigned by your instructor.
Add an IP NAT pool named “source_nat1” using the commands below and replace the IP
address with your assigned IP. For the purposes of this lab, the start and end addresses are the
same (i.e. an IP NAT pool consisting of a single IP address).
AX(config)#ip nat pool source_nat1 192.168.18.151 192.168.18.151 netmask /24
Confirm your configured IP NAT pool using the “show ip nat pool” command.
AX(config)#show ip nat pool
Total IP NAT Pools: 1
Pool Name Start Address End Address Mask Gateway HA Group
-----------------------------------------------------------------------------------
source_nat1 192.168.18.151 192.168.18.151 /24 0.0.0.0 0

You now have all the pieces required for one-arm mode load balancing on your AX. The next
step is to configure a virtual server IP and virtual service port.
GUI Example:
Figure 6: Config > Service > IP Source NAT > Add
Creating a Virtual Server and IP (VIP)

Now it’s time to create a virtual server with an IP address (VIP) that will be used by clients to
access the load balanced service.
Use the commands below to create a virtual server named “main_vip” and replace the IP with
the address assigned by your instructor.
AX(config)#slb virtual-server main_vip 192.168.18.101
Once the VIP is configured, you can add a virtual service port for load balancing. In this lab, we
will configure a virtual HTTP web service load balanced across our two servers.
Use the commands below to create the virtual HTTP service port that will use the service group
“web_group” and IP NAT pool “source_nat1” for source NAT load balancing.
AX(config-slb vserver)#port 80 http

AX(config-slb vserver-vport)#service-group web_group
AX(config-slb vserver-vport)#source-nat pool source_nat1

Confirm your virtual configuration using the command “show slb virtual-server”.
AX(config-slb vserver-vport)#show slb virtual-server

Total Number of Virtual Services configured: 1
Virtual Server Name IP Current Total Request Response
Service-Group Service connection connection packets packets
--------------------------------------------------------------------------------
*main_vip 192.168.18.101
port 80 http
web_group 80/http 0 0 0 0
Total received conn attempts on this port: 0
Congratulations! You are now ready to send traffic to your AX. Use a web browser on your
laptop and access your VIP. Browse the test website and watch your traffic get load balanced
across the two web servers. Use the “show” commands you tried in the above steps to take a
look at the statistics.
GUI Example:
Figure 7: Config > Service > SLB > Virtual Server

Figure 8: Config > Service > SLB > Virtual Server (Adding Port )
Figure 9: Config > Service > SLB > Virtual Server (Port Added)

Lab #2 – Health Monitors
In this lab you will create and use different health monitors.
Creating A Health Monitor

In the previous lab, when you added servers and service ports to AX it also configured default
health monitors. The default health monitor for servers is ICMP. For TCP service ports, AX uses
a default TCP health monitor (simple 3-way TCP handshake).
AX#show slb server config

H-check = Health check Max conn = Max. Connection Wgt = Weight
Service Address H-check Status Max conn Wgt
-------------------------------------------------------------------------------
web1:80/tcp 192.168.18.201 Default Enable 1000000 1
web1 192.168.18.201 Default Enable 1000000 1

Now you will configure a HTTP health monitor for the servers’ web service port.
Create a health monitor named “http-default” that uses the HTTP health check method with the
following commands.
AX(config)#health monitor http-default

AX(config-health:monitor)#method http
This creates a health monitor that uses the default parameters for the HTTP method. You can
view the details using the “show health monitor http-default” command.
AX(config-health:monitor)#show health monitor http-default

Monitor Name: http-default
Interval: 30
Max Retry: 3
Timeout: 5
Up-Retry: 1
Status: Idle
Method: HTTP
Attribute: port=80
url="GET /"
GUI Example:

Figure 10: Config > Service > Health Monitor > Add
Using The Health Monitor
Now that you have created a health monitor, it needs to be used. The following commands will
associate the health monitor you just created to the TCP 80 service port of server “web1”.

AX(config-real server-node port)#health-check http-default
GUI Example:

Figure 11: Config > Service > SLB > Server > (web1)
Check that the health monitor is now in use with the below commands.
AX(config-real server-node port)#show health monitor

Idle = Not used by any server In use = Used by server
Monitor Name Interval Retries Timeout Up-Retries Method Status
-------------------------------------------------------------------------
ping 30 3 5 1 ICMP In use
http-default 30 3 5 1 HTTP In use
AX(config-real server-node port)#show slb server config

H-check = Health check Max conn = Max. Connection Wgt = Weight
Service Address H-check Status Max conn Wgt
-------------------------------------------------------------------------------
web1:80/tcp 192.168.18.201 http-default Enable 1000000 1

Since our web servers are running and there is a page available at the HTML root, this health
monitor will not change the server’s status (as seen below).

-----------------------------------------------------------------------------
---
web1:80/tcp 0 0 0 0 Up
web2:80/tcp 0 0 0 0 Up
Let’s create another health monitor to demonstrate how health check failures will bring a
server/service port status down.
Health Monitor Failures & Service Down

Create another health monitor named “http-hm”. Explicitly configure a shorter interval and less
retries in order to see the service status change quicker.
AX(config)#health monitor http-hm interval 5 retry 1

AX(config-health:monitor)#method http url HEAD /404.html
AX(config-health:monitor)#show health monitor http-hm
Monitor Name: http-hm
Interval: 5
Max Retry: 1
Timeout: 5
Up-Retry: 1
Status: Idle
Method: HTTP
Attribute: port=80
url="HEAD /404.html"
GUI Example:

Figure 12: Config > Service > Health Monitor
Since this page does not exist on the web servers in our classroom lab, the health monitor will
return failure. Use it on server “web1” and observe what happens.

AX(config-real server-node port)#health-check http-hm
After several seconds, the service port’s status will become down.

-----------------------------------------------------------------------------
---
web1:80/tcp 0 0 0 0 Down
web2:80/tcp 0 0 0 0 Up
GUI Example:

Figure 13: Monitor > Service > SLB > Server
Try sending some requests to the AX VIP using your laptop’s web browser. You will notice that
the requests are no longer load balanced to server “web1” because its service port is down.
Server Versus Service Port Status

You may have noticed that service port 80 TCP on “web1” is marked down, but the server itself
is still up. This is because the server-level health-check is still successful (i.e. the default ICMP
ping health-check).
A health-check failure at the service port level will bring that particular service port down.
However, a failure at the server level will bring all service ports on that server down (even if the
service port health-check is successful).
More HTTP Health Monitor Options

Now let’s try a few more options available when using the HTTP health monitor method.
Modify the “http-hm” health monitor to send a HEAD request for the “axseries.html” page.
AX(config)#health monitor http-hm

AX(config-health:monitor)#method http url HEAD /axseries.html
Since the page “axseries.html” exists on the server, the health-check should be successful and
the service port should come back up.


-----------------------------------------------------------------------------
---
web1:80/tcp 0 0 0 0 Up
web2:80/tcp 0 0 0 0 Up
Your requests to the VIP should be load balanced to both web servers again.
Now let’s try using the “expect” option with a HTTP GET request. Modify the “http-hm” health
monitor to send an HTTP GET request for the “axseries.html” page and include an expect
option for the text “abcdefg”.

AX(config-health:monitor)#method http url GET /axseries.html expect abcdefg
Since “abcdefg” does not appear anywhere on the requested page, your service port should go
down again.
AX(config-health:monitor)#show slb server

-----------------------------------------------------------------------------
---
web1:80/tcp 0 0 0 0 Down
web2:80/tcp 0 0 0 0 Up
Now modify the health monitor to expect a string that does appear in the page. Change the
expect option to look for the string “ACOS”.

AX(config-health:monitor)#method http url GET /axseries.html expect ACOS
The service port should come back up once again.
AX(config-health:monitor)#show slb server


-----------------------------------------------------------------------------
---
web1:80/tcp 0 0 0 0 Up
web2:80/tcp 0 0 0 0 Up
Congratulations! You now have a solid understanding of how health monitors are created and
used. If you have time, explore the other options and health monitor methods available.
Lab #3 – Templates
In this lab you will create HTTP and Persist templates that will be used to change the way AX
load balances incoming requests.

NOTE: Your web browser may automatically cache pages you have already viewed. When
going through the exercises in this lab you may need to disable/clear the browser cache in order
for subsequent requests to actually go to AX. Your browser may also have a hot-key for
bypassing the local browser cache when performing a page refresh (e.g. On Firefox, you can
hold the Shift key when clicking Refresh).
Creating Additional Service Groups

To demonstrate the URL switching feature of HTTP templates, we will create two additional
service groups; one for “web1” and the other for “web2”.
AX(config)#slb service-group web_html tcp

AX(config-slb svc group)#mem web1:80
AX(config-slb svc group)#slb service-group web_images tcp
AX(config-slb svc group)#mem web2:80
You should now have a total of three service groups as shown below.
AX(config-slb svc group)#show slb service-group

Service Group Name
-----------------------------------------------------------------------
*web_group State: All Up
web1:80 0 0 0 0
web2:80 0 0 0 0
*web_html State: All Up

web1:80 0 0 0 0
*web_images State: All Up

web2:80 0 0 0 0
Creating a HTTP Template for URL Switching

Create a HTTP template named “url-switch” using the following command.
AX(config)#slb template http url-switch
The “url-switching” option allows you to configure rules used to select different service groups
based on the URL requested.
AX(config-http)#url-switching ?
contains Select service group if URL string contains another string
ends-with Select service group if URL string ends with another string
match Deprecated. Same as contains
starts-with Select service group if URL string starts with another string

Configure the following URL switching rules.
AX(config-http)#url-switching ends-with .html service-group web_html

AX(config-http)#url-switching ends-with .jpg service-group web_images
AX(config-http)#url-switching ends-with .gif service-group web_images
AX(config-http)#show slb template http url-switch

slb template http url-switch
url-switching ends-with .html service-group web_html
url-switching ends-with .jpg service-group web_images
url-switching ends-with .gif service-group web_images
GUI Example:
Figure 14: Config > Service > Templates > Application > Http (Adding Http template)

Figure 15: Config > Service > Templates > Application > http ( Application Switching )
Now that you have created your HTTP template, let’s use it on our virtual server to see it in
action.
AX(config-http)#slb virtual-server main_vip

AX(config-slb vserver-vport)#template http url-switch
GUI Example:
Figure 16: Config > Service > SLB > Virtual Server > vip0, Port 80 (Adding http template)
Use your laptop’s web browser to go to your virtual server IP address (e.g.
http://192.168.1.101/)
You can confirm which service group was used using the “show slb service-group” command on
AX. Notice that the first request (i.e. HTTP GET “/”) uses the original service group “web_group”
because it does not match any of our URL switching rules. But the subsequent requests for the
images on the front page are sent to the service group “web_images”.
AX#show slb service-group

Service Group Name
-----------------------------------------------------------------------
web1:80 0 0 0 0
web2:80 0 1 1 4

web1:80 0 0 0 0

web2:80 0 2 2 8
GUI Example:
Figure 17: Monitor > Service > SLB >Service Group
Figure 18: Monitor > Service > SLB > Service Group (Subsequent Reqs goes to web-images)
You can also use the “show slb http debug” command to see which switching method was used.

AX#show slb http debug
DP0 DP1 DP2 DP3
Total
------------------------------------------------------------------
Cookie switching 0 0 0 0 0
Cookie switching (succ) 0 0 0 0 0
aFleX switching 0 0 0 0 0
aFleX switching (succ) 0 0 0 0 0
URL switching 0 1 1 0 2
URL switching (succ) 0 1 1 0 2
Host switching 0 0 0 0 0
Host switching (succ) 0 0 0 0 0
Normal LB switching 0 0 0 1 1
Normal LB switch. (succ) 0 0 0 1 1
Browse the simple test website by clicking the hyperlinks. You should see requests being sent
to the service group “web_html”.
Now we will move on to a different type of template that modifies the way AX selects a server
for load balancing; persist templates.
Source IP Persistence (Switching)

One type of persist template is the source-ip persist template. When this type of template is
used on a virtual service port, all connections from the same source IP (in this lab, your laptop’s
IP) will persist (“stick”) to the server selected on the first request.
Let’s create this new template and name it “src-ip-persist”.
AX(config)#slb template persist source-ip src-ip-persist

AX(config-source ip persist)#
GUI Example:

Figure 19: Config > Service > Templates > Persistent > Source-Ip- Persistent
Now remove the HTTP template and apply the source IP persist template to your virtual port.
AX(config)#slb virtual-server main_vip

AX(config-slb vserver-vport)#no template http url-switch
AX(config-slb vserver-vport)#template persist source-ip src-ip-persist
AX(config-slb vserver-vport)#show run | section main_vip

slb virtual-server main_vip 192.168.18.101
port 80 http
source-nat pool source_nat1
service-group web_group
template persist source-ip src-ip-persist
GUI Example:
Use your laptop to browse our simple test web site again. You should notice that all the
requests are sent to one of the web servers.
To view which source IP’s are currently persisting to a server, use the “show session persist”
command.
AX#show session persist

Prot Forward Source Forward Dest Reverse Source Age
------------------------------------------------------------------------
src 192.168.18.11 192.168.18.101:80 192.168.18.201 300
The “Age” value shows how long AX will continue to persist to the server selected. The age will
be refreshed each time the same source IP sends a request to the virtual port. When the
persistent session ages out, AX will perform server selection again.
The default value is 300 seconds (5 minutes). This value can be modified as one of the template
options.
The “clear session persist” command will clear all persistent sessions. Try using this command
and then browse the website again.

Cookie Persistence (Switching)
Cookie persist templates can be used on HTTP and HTTPS virtual service ports. When used,
AX inserts a cookie on the client web. When AX receives the cookie on subsequent requests, it
uses the cookie value to persist to the server selected in the first request.
Create a cookie persist template with the following commands.
AX(config)#slb template persist cookie cookie-persist

AX(config-cookie persist)#name My-AX-Cookie
AX(config-cookie persist)#expire 1800
GUI Example:
Figure 21: Config > Service > Templates > Persistent > Cookie Persistent
The “name” option allows you to specify a custom cookie name to be used. The default cookie
name will be something similar to “sto-id-20480”.
The “expire” option sets the expiration of the cookie. In this example, the cookie will expire 1800
seconds (30 minutes) after the browser first receives it from AX. Setting a value of 0 seconds
means the cookie will expire immediately after the current session is over (i.e. a session
cookie). If the option is not configured the default expiration is 10 years.
Remove the source IP persist template and apply the cookie persist template with the
commands below.

AX(config-slb vserver-vport)#no template persist source-ip src-ip-persist
AX(config-slb vserver-vport)#template persist cookie cookie-persist
GUI Example:
Visit the test website again and check your browser’s cookies. You should see the cookie
inserted by AX. You should also notice that once again your requests are persisting to the same
server.
You can use the “show slb http debug” command again to see what type of switching is being
used. This time, you should see the counters for “Cookie switching” being incremented.
AX(config-cookie persist)#show slb http debug
DP0 DP1 DP2 DP3 Total
------------------------------------------------------------------
Cookie switching 0 0 1 1 2
Cookie switching (succ) 0 0 1 1 2
Try clearing your browser’s cookies and visit the site again to see a new server selected.

Lab #4 – SSL Acceleration
In this lab we will import a test certificate and key onto AX, and create both a client and a server
side SSL template to be used with our virtual HTTPS service.
Importing Certificates and Keys

AX supports importing certificates and keys using TFTP, FTP, SCP, or RCP protocols. The web
UI also supports file upload via web browser.
For the purposes of this lab, the certificate and key files have been placed on server “web1”
(192.168.1.201) and we will be importing them via SCP using the following commands. The
login and password are both “a10”.
AX(config)#import ssl-cert my_cert scp://a10@192.168.18.191/home/a10/cert.pem

Password []?
AX(config)#import ssl-key my_key scp://a10@192.168.18.191/home/a10/key.pem
Password []?
You can view the certificates and keys that have been imported to AX using the command
below.
AX(config)#show slb ssl cert

name: my_cert
type: certificate
Common Name: 1024.bit
Organization: Internet Widgits Pty Ltd
Expiration: Feb 21 00:55:42 2003 GMT
Issuer: CA
name: my_key
type: key
key size: 1024
Now that you have successfully imported the certificate and key to AX, we are ready to create
the templates to use them.
Creating a Client SSL Template

Create a new client SSL template named “cssl” that uses the imported certificate and key with
the following commands.
AX(config)#slb template client-ssl cssl

AX(config-client ssl)#cert my_cert
AX(config-client ssl)#key my_key
GUI Example:
Figure 23: Config > Service > Template > Client SSL
Using the Client SSL Template

In order to use the newly created template for SSL acceleration, we need to first configure our
virtual server with a HTTPS service port.

AX(config-slb vserver)#port 443 https
Add the client SSL template to the virtual port.
AX(config-slb vserver-vport)#template client-ssl cssl
GUI Example:

Figure 24: Config > Service > SLB > Virtual Server > Port > 443
Since AX will be performing SSL acceleration (handshake, encryption, and decryption) with the
clients, our backend connections to the servers can be made unencrypted through port 80.
Use the service group “web_group” you configured previously on the HTTPS virtual service port.
We will also require the previously configured source NAT pool “source_nat1”.
AX(config-slb vserver-vport)#service-group web_group

AX(config-slb vserver-vport)#source-nat pool source_nat1
Your virtual server configuration should appear as shown below.
AX#show run | section main_vip

port 80 http
template persist cookie cookie-persist
port 443 https
template client-ssl cssl
You are now ready to test AX’s SSL acceleration. Use your web browser to hit the VIP using the
HTTPS protocol (e.g. https://192.168.18.101). Your browser will most likely give you a warning

message because we are using a self-signed test certificate and key. Just accept the certificate
and continue.
You can check your SSL statistics using the command below.
AX#show slb ssl stat

Number of SSL modules: 1
SSL module 1
number of enabled crypto engines: 12
number of available crypto engines: 12
Current SSL connections: 0
Total SSL connections: 10
Failed SSL handshakes: 0
Failed crypto operations: 0
SSL memory usage: 51840 bytes
SSL fail CA verification 0
HW Context Memory alloc failed 0
HW ring full 0
Record too big 0
GUI Example:
Figure 25: Monitor > Service > Application > SSL
Lab #5 – Policy Based Server Load Balancing (PBSLB)

In this lab we will be using PBSLB to control how clients access our website.
Importing the Black/White List
For the purposes of this lab, a black/white list has been created in advance containing the IP
addresses of all the student’s laptops and placed on server “web1”. IP addresses ending with
an odd number are in group 1 and even numbers are in group 2 (see below).
192.168.18.11/32 1
192.168.18.12/32 2
192.168.18.13/32 1
192.168.18.14/32 2
192.168.18.15/32 1
192.168.18.16/32 2
192.168.18.17/32 1
192.168.18.18/32 2
192.168.18.19/32 1
192.168.18.20/32 2
Import the black/white list using the following command. The login and password are the same
as the previous lab, both are “a10”.
AX(config)#import bw-list odd-even

scp://a10@192.168.18.201/home/a10/odd-even
Password []?
Importing ... Done.
The “show bw-list” command can be used to show the lists currently on AX. You should see the
list you just imported.
AX(config)#show bw-list
Name Url Size(Byte) Date
--------------------------------------------------------------------------------
odd-even Local 144 Feb/19 12:14:32
Now you are ready to define some policies to use with this list.
Using a Black/White List with Policies

To use the black/white list you need to configure policies on the virtual service port. Let’s start
by creating a policy that determines which service-group is used for load balancing on our
website.
In Lab #3 (Templates) you created two service groups named “web_html” and “web_images”.
We will be reusing these groups in this lab. You may remember that each service group
contains only one of our web servers (web_html = web1, web_images = web2).

We will configure policies so that requests from IP addresses belonging to group 1 (i.e. student
IP addresses ending in an odd number) are sent to server “web1” only, and similarly group 2 will
be sent to “web2” only.
First, remove any other templates that may have been left over from previous labs on your
HTTP virtual service port. Simply prefix the command with the keyword “no”. The example
below shows how to remove the cookie persist template we configured in our previous lab.

AX(config-slb vserver-vport)#no template persist cookie cookie-persist
Your virtual server configuration should appear as below.

port 80 http
port 443 https
Now add the black/white list to our virtual HTTP port using the following command.
AX(config-slb vserver-vport)#pbslb bw-list odd-even
Also configure the policies that will select the appropriate service group based on the group ID
in the black/white list.
AX(config-slb vserver-vport)#pbslb id 1 service web_html

AX(config-slb vserver-vport)#pbslb id 2 service web_images
You virtual server configuration should appear as below.

port 80 http
pbslb bw-list odd-even
pbslb id 1 service web_html
pbslb id 2 service web_images
port 443 https

Browse the website with your partner. You should notice that all of your requests are sent to one
of the servers, and your partner’s requests are sent to the other server.
Try the “show pbslb” command to view the PBSLB statistics. Sample output is shown below.
AX#show pbslb
Total number of PBSLB configured: 1
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
--------------------------------------------------------------------------------
main_vip 80 odd-even 1 6 0 0
2 7 0 0
Also check that the policy is working. You and your partner’s requests should have been sent to
the “web_html” and “web_images” service groups.
AX#show slb service-group

Service Group Name
-----------------------------------------------------------------------
web1:80 0 0 0 0
web2:80 0 0 0 0

web1:80 0 6 23 42

web2:80 0 7 49 71
More Policy Actions

Now let’s try changing the policies on our virtual service to drop and reset connections based on
group ID. Use the commands shown below to reset connections from group 1 and drop (silently)
connections from group 2.

AX(config-slb vserver-vport)#pbslb id 1 reset
Now try browsing the website again. Students with IP addresses belonging to group 1 should no
longer be able to fetch pages. Below is a sample screenshot from Firefox.

Group 1- Connection Reset
Using the “show pbslb” command again, you can see the “Reset” counter for group ID 1
increment.
AX#show pbslb
Total number of PBSLB configured: 1
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
--------------------------------------------------------------------------------
main_vip 80 odd-even 1 6 3 0
2 7 0 0
Lab #6 – aFleX
In this lab you will use different aFleX scripts to change how AX load balances traffic to our test
website. For the purposes of this lab, the aFleX scripts have been created in advance and your
instructor will go over each in detail during the lab.
Import the aFleX Scripts

The aFleX scripts are stored on server “web1” again. Import the first script named “a1” using the
commands below.
AX(config)#import aflex a1 scp://a10@192.168.18.192/home/a10/a1
Password []?
Importing ... Done.
Use the “show aflex” command to display the aFleX scripts that have been imported onto the
AX.
AX(config)#show aflex
Total aFleX number: 1
Max aFleX file size: 32K
Name Syntax Virtual port
------------------------------------------------------------
a1 Check No
Providing the aFleX name displays more details and the content of the aFleX script. Try it now
with the “a1” aFleX script.
AX#show aflex a1
Name: a1
Syntax: Check
Virtual port: No
Content:
when CLIENT_ACCEPTED {
pool web_html
}
This is a simple aFleX script that causes AX to always load balance to the service group
“web_html” .
GUI Example:

Figure 26: Config > Service > Aflex > Create (script is created here)
Use aFleX on Virtual Service

You may still have the PBSLB policies on your virtual HTTP service port from the last lab.
AX(config)#show run | b virt

port 80 http
pbslb bw-list odd-even
pbslb id 1 reset
pbslb id 2 drop
port 443 https
!
You should remove the PBSLB policies using the commands below.
AX(config)#slb virt main_vip

AX(config-slb vserver-vport)#no pbslb bw-list odd-even
You virtual server’s configuration should appear as shown below.
AX(config-slb vserver-vport)#show run | b virt

port 80 http
port 443 https
!
Now add the aFleX script “a1” to the virtual service port using the commands shown below.

AX(config-slb vserver-vport)#aflex a1
GUI Example:
The virtual server’s configuration should now have the aFleX script “a1” added to the virtual port
80 HTTP service port.

port 80 http
aflex a1
port 443 https
Notice that the “show aflex” command’s output has changed to show that the script “a1” is in
use (has been “bound” to a virtual port).
AX#show aflex
Total aFleX number: 1
Max aFleX file size: 32K
Name Syntax Virtual port
------------------------------------------------------------
a1 Check Bind
Use your web browser to visit our test website again. Use the “show slb service-group”
command to verify the aFleX script is working (i.e. all the requests are being sent to the
“web_html” service group).
AX#show slb service

Service Group Name
-----------------------------------------------------------------------
web1:80 0 0 0 0
web2:80 0 0 0 0

web1:80 0 4 8 16

web2:80 0 0 0 0
Try using the “show aflex <name>” command to see the number of times the aFleX script was
executed and check if there were any errors or aborts.
AX#show aflex a1
Name: a1
Syntax: Check

Virtual port: Bind
main_vip: 80
Statistics:
Event CLIENT_ACCEPTED execute 4 times (0 failures, 0 aborts)
Content:
when CLIENT_ACCEPTED {
pool web_html
}
GUI Example:
Figure 28: Monitor > Service > aFlex
aFleX Scripting – Part 2

We will now move onto our second aFleX script example. Import the script named “a2” onto AX.
The location is the same as the first example except the name of the file is “a2”.
Use the command shown below to view the details of the aFleX script.
AX(config)#show aflex a2
Name: a2
Syntax: Check
Virtual port: Bind
main_vip: 80
Statistics:
Event HTTP_REQUEST execute 7 times (0 failures, 0 aborts)
Content:
when HTTP_REQUEST {
if {[HTTP::uri] ends_with "html" } {

pool web_html
log "Redirect request [HTTP::uri] to HTML service group"
} elseif { ([HTTP::uri] ends_with "jpg") or ([HTTP::uri] ends_with "gif") } {
pool web_images
log "Redirect request [HTTP::uri] to IMAGES service group"
} else {
pool web_group
log "Redirect request [HTTP::uri] to WEB service group"
}
}
This aFleX script emulates the URL switching used in the HTTP template lab.
∞ The aFleX checks the request URI using the command “[HTTP::uri]”
∞ If the URI ends with “html” it selects the “web_html” service group.
∞ If the URI ends with “jpg” of “gif” it selects the “web_images” service group.
∞ For all other requests it selects the “web_html” service group.
In addition, we use the aFleX command “log” to log a message for each of the cases covered
above.
Remove the aFleX “a1” from the virtual port and add aFleX “a2”.

port 80 http
aflex a2
Browse the test website and use the “show slb service-group” and “show log” commands to
verify the aFleX is working. You should see log messages similar to those shown below using
the “show log” command.
AX(config)#show log
Log Buffer: 30000
Feb 19 2009 18:37:14 Info [AFLEX]:Redirect request /exseries-index-banner.gif to
IMAGES service group
Feb 19 2009 18:37:14 Info [AFLEX]:Redirect request /exseries.html to HTML service
group
Feb 19 2009 18:37:13 Info [AFLEX]:Redirect request /axseries-platform-advantage.jpg
to IMAGES service group
Feb 19 2009 18:37:13 Info [AFLEX]:Redirect request /axseries.html to HTML service
group
Feb 19 2009 18:37:00 Info [AFLEX]:Redirect request /index-mast-090126c.jpg to
IMAGES service group

Feb 19 2009 18:37:00 Info [AFLEX]:Redirect request /a10banner.jpg to IMAGES service
group
Feb 19 2009 18:37:00 Info [AFLEX]:Redirect request / to WEB service group
GUI Example:
Figure 29: Monitor > System > logging

Lab #7 – Compression
In this lab you will learn how to configure the compression feature on your AX system. You will
learn how to specify an HTTP template with compression, and how to bind it to a vport. You
will also learn how to use various compression options to control the behavior of your
compression.
You will learn the various show and clear commands associated with compression and how to
troubleshoot when you see problems.
Creating an template with compression enabled

Create a new HTTP template named “compress” using the following commands.
AX(config)#slb template http http-compress

AX(config-HTTP template)#compression enable
AX(config)#slb template http http-compress

AX(config-HTTP template)#compression enable
AX(config-HTTP template)#compression level 5
AX(config-HTTP template)#compression content-type image
AX(config-HTTP template)#compression exclude-content-type
application/zip
GUI Example:
Figure 30: Config > Service > Template > Http> Create

Figure 31 Config > Template > Application > http>
Figure 32: Http-Compress

Figure 33: Http Compress
Binding the template to your virtual service port

Now bind the HTTP template you have just created to the virtual service port that you want to
enable compression on. You can do so using the CLI commands given below.

AX(config-slb vserver-vport)#template http compress
The virtual server’s configuration should now have the HTTP template “compress” added to the
virtual port 80 HTTP service port.
You can verify this by doing the following command
AX #show runn | begin http

slb template http compress
compression enable
!s
!
port 80 http
template http compress
template cache ramcache

The server 192.168.18.193 has a large compressible file index.html. So make the following
changes in your config. Define a new server web3 as shown below and add it as the sole
member of the service group web_group.
AX(config)#slb server web3 192.168.18.193

AX(config)#slb service-group web_group tcp

Note: you may have to do a no command on the 2 previous members you had defined earlier
before you can add the new members.
Now, use your laptop’s web browser to go to your virtual server IP address and fetch the file
index.html (e.g. http://192.168.18.101/)
Look at what has happened on the AX by doing a show command as shown below
AX#show slb http-proxy

Total
------------------------------------------------------------------
Curr Proxy Conns 2
Total Proxy Conns 2
HTTP requests 2
HTTP requests(succ) 2
No proxy error 0
Client RST 1
Server RST 0
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 2
Source NAT failure 0
Tot data before compress 254583
Tot data after compress 102690
GUI Example:
Figure 33: Monitor > Service > Proxy
Controlling the compression level

Now, change the compression level from the default (level 1) to level 6. You do this as follows
AX(config)#slb template http compress

AX(config-HTTP)#compression level 6
Look at what has happened on the AX by doing a show command as shown below
AX(config-HTTP)#show slb http-proxy

Total
------------------------------------------------------------------
Curr Proxy Conns 2
Total Proxy Conns 2
HTTP requests 3
No proxy error 0
Client RST 1
Server RST 0
No tuple error 0
Parse req fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0

Server conn made 2

Lab #8 – RAM Caching
In this lab you will learn how to configure the RAM caching features on your AX system. You
will learn how to specify a RAM Cache template, how to bind it to a vport. You will also learn
how to specify various caching policies to control the behavior of your web cache.
You will learn the various show and clear commands associated with RAM caching and how to
troubleshoot when you see problems.
Creating a RAM cache template

Create a new RAM cache template named “ramcache” with the following commands.
AX(config)#slb template cache ramcache

AX(config-ram caching)#age 300
AX(config-ram caching)#min-content-size 50
AX (config-ram caching)#exit
GUI Example:
Figure 34: Config > Template > Application > Ram Caching > Create
Here, we are changing the age of the cache in the template from the default 3600 seconds to
300 seconds. We are also specifying the minimum size of the content to be cache as 50bytes.
Binding the RAM cache template to your virtual service port

Now bind the template you have just created to the vport that you want to enable caching on.
You do using the commands shown below.

Your virtual server configuration should appear as below.

port 80 http
Now add the cache template ramcache to the virtual service port using the commands shown
below.

AX(config-slb vserver-vport)#template cache ramcache
The virtual server’s configuration should now have the cache template “ramcache” added to the
virtual port 80 HTTP service port.

port 80 http
template cache ramcache
Look at the current state of the cache on your virtual port by doing the show command given
below.
AX#show slb cache stats main_vip 80

main_vip:80
---------------------------------------------------------------
Cache Hits 0 |
Cache Misses 0 |
Memory Used 0 |Bytes Served 0
Entries Cached 0 |Entries Replaced 0
Entries Aged Out 0 |Entries Cleaned 0
Total Requests 0 |Cacheable Requests 0
No-cache Requests 0 |No-cache Responses 0
Revalidation Successes 0 |Revalidation Failures 0
Policy URI nocache 0 |Policy URI cache 0
Policy URI invalidate 0 |Content Too Big 0
Content Too Small 0 |Cache add skips 0

Entry create failures 0 |Double enqueues 0
Double deletes (hlist) 0 |Double deletes (list) 0
GUI Example:
Figure 35: Monitor > Service > Application > RAM Caching
Now, use your laptop’s web browser to go to your virtual server IP address and fetch the file
index.html (e.g. http://192.168.18.101/index.html )
Look at what has happened on the AX by doing a show command again as shown below

main_vip:80
---------------------------------------------------------------
Cache Hits 0 |
Cache Misses 3 |
Notice how there were 4 requests made in getting this page. Notice that 3 of them were
cacheable while one wasn’t. You can see that there are 3 misses and 3 objects were cached.
We can get more information on what got cached by doing the following command.
AX#show slb cache entries main_vip 80

main_vip:80
Host Object URL Bytes Status Expires in
-----------------------------------------------------------------------------------------------
192.168.18.101 /a10banner.jpg 7498 FR 989 s
192.168.18.101 /index.html 757 FR 593975 s
192.168.18.101 /index-mast-090126c.jpg 5854 FR 989 s
AX #
As you can see, the cache has 3 entries. Two of the objects are images (JPEGs) and they have
been cached for 1000 seconds. The other is the HTML file index.html and it has been cached
for 60000 seconds. Both entries are fresh (FR).
Question: What is the 4th request and why isn’t it cached?
Now, clear the cached entries from the browser by going to the appropriate menu and doing a
“Delete Browsing History” if you are using IE or the equivalent command for your browser of
choice. You will need to do this, otherwise the browser will just pick up the object from its local
cache instead of requesting it from the AX on the subsequent request.
Now make another request for the http://192.168.18.101/index.html page.

Then issue the show command shown below one more time to see what happens.

main_vip:80
---------------------------------------------------------------
Cache Hits 3 |
Cache Misses 3 |

As you can see, now the 3 objects were found in the cache (notice the Cache Hits). You can
also see that the 3 objects were served from the cache (notice the Bytes Served).
Changing the default behavior – Caching policies

Create a couple of caching policies to modify the default behavior by specifying the commands
shown below.
AX(config)#slb template cache ramcache

AX(config-ram caching)#policy uri /index.html cache 8000
AX(config-ram caching)#policy uri /a10banner.jpg nocache
AX (config)#exit
Your caching template will now look as shown below.
AX(config-ram caching)#show slb template cache ramcache

slb template cache ramcache
age 300
min-content-size 50
policy uri /index.html cache 8000
policy uri /a10banner.jpg nocache
Now, clear your cache entries using the command shown below.
AX# clear slb cache entries main_vip 80
Now, clear you browser cache as previously described and hit the url
http://192.168.18.101/index.html again.
AX(config-ram caching)#show slb cache entries main_vip 80

main_vip:80
Host Object URL Bytes Status Expires in
-----------------------------------------------------------------------------------------------
192.168.18.101 /index.html 781 FR 7982 s
192.168.18.101 /index-mast-090126c.jpg 15854 FR 982 s
Notice how this time only 2 objects are in the cache. Also notice how the time that /index.html is
cached is now 8000 seconds.
Lab #9– System Configuration Practice

AX(config)#sh ver
AX Series Advanced Traffic Manager AX2000

Copyright 2007-2009 by A10 Networks, Inc.
Advanced Core OS (ACOS) version 2.0.2, build 56 (Mar-20-2009,18:46)

Booted from hard disk secondary image
Serial Number: AX20231108040037
aFleX version: 2.0.0
Hard disk primary image version 1.2.7-p1, build 5
Hard disk secondary image (default) version 2.0.2, build 56
Compact flash primary image (default) version 1.2.1, build 259
Compact flash secondary image version 1.2.1, build 259
Last configuration saved at Apr-9-2009, 16:10
Hardware: 4 CPUs, Single 75G Hard disk
Memory 2072 Mbyte, Free Memory 837 Mbyte
Current time is Apr-12-2009, 02:33
The system has been up 0 day, 0 hour, 19 minutes
GUI Example:
Figure 36: Monitor > Overview> Summary
AX(config)#sh startup all

Current startup-config profile: anu-ssl-response-time-test
Primary startup-config profile: anu-ssl-response-time-test
Secondary startup-config profile: anu-ssl-response-time-test
Profile-Name Size Time
------------------------------------------------------------
gilbert 1819 Apr 30 19:11
steven 787 May 06 15:55
hawkins 2640 Jul 03 13:30
tim 2640 Jul 03 13:30
smartbits 955 Jul 29 12:06
kddi 8755 Sep 05 15:41

comcast-prom-vip 1663 Dec 16 13:56
ax2k-l2-hot-standby 10644 Sep 10 17:18
vip-failover 0 Sep 11 14:24
slb-templates 910 Sep 12 13:07
disabled 910 Sep 13 11:08
bug23859 910 Sep 16 13:01
ax2k-l2inline 11642 Nov 17 13:56
ax2k-l3inline 10527 Nov 13 15:42
AX(config)#link ?
startup-config Startup Configuration
AX(config)#link startup ?
default Default startup-config
WORD<length:1-31> Local Configuration Profile Name
AX(config)#link startup anu-ssl-response-time-test ?
cf Create link in compact flash
primary Create link in primary partition
secondary Create link in secondary partition
<cr>
AX(config)#link startup anu-ssl-response-time-test
New Profile will come into effect after next reload/reboot
AX(config)#booti ?
cf Compact flash
hd Hard disk
AX(config)#booti hd ?
pri Primary image
sec Secondary image
AX(config)#booti hd sec ?
<cr>
AX(config)#booti hd sec
Secondary image will be used if AX is booted from hard disk
AX(config)#
You will need console access for this.
Changing boot partition during bootup
While system is booting up at the BIOS, hit F2 to see boot menu. Useful if HD can not
boot and you need to boot from CF.
Manufacturing reset
• Reboot the system

• In the first 5 minutes after the system is booted up, login the system from the
console port. The user name is “reset” and the password is the serial number of
the AX system. The serial number is labeled in the back of the AX system.
Welcome to AX
AX login: reset
Password: AX22231107390014
• Answer the following questions:

- Reset the admin password to default

- Reset enable password to default
- Erase the startup-config
• Login as admin. Set the new password/enable-password and then save the
configuration.
AX Debugging lab
AX#sh stat
Port Good Rcv Good Sent Bcast Rcv Bcast Sent Errors
---------------------------------------------------------------------------
1 41 0 14 0 0
2 0 0 0 0 0
3 0 0 0 0 0
4 0 0 0 0 0
5 0 8720 0 8720 0
6 33463 66384 0 9149 0
7 0 0 0 0 0
9 0 0 0 0 0
10 0 0 0 0 0
GUI Example:

Figure 37: Monitor > Network > Interfaces
AX#sh slb switch

Total
------------------------------------------------------------------
L2 Forward 0
L3 IP Forward 0
IPv4 No Route Drop 0
L3 IPv6 Forward 0
IPv6 No Route Drop 0
L4 Process 15
Incorrect Len Drop 0
Prot Down Drop 0
Unknown Prot Drop 0
TTL Exceeded Drop 0
Link Down Drop 0
SRC Port Suppression 0
VLAN Flood 0
IP Fragment Rcvd 0
ARP REQ Rcvd 0
ARP RESP Rcvd 0
Forward Kernel 5
IP(TCP) Fragment Rcvd 0
IP Fragment Overlap 0
IP Frag Overload Drops 0
IP Fragment Reasm OKs 0
IP Fragment Reasm Fails 0
Anomaly LAN Attack Drop 0
Anomaly IP OPT Drops 0
Anomaly PingDeath Drop 0
Anomaly All Frag Drop 0
Anomaly TCP noFlag Drop 0
Anomaly SYN Frag Drop 0
Anomaly TCP SYNFIN Drop 0
Anomaly Any Drops 0
MTU exceeded Drops 0
BPDUs Received 0
BPDUs Sent 0
ACL Denys 0
SYN rate exceeded Drop 0
Packet Error Drops 0
GUI Example:
Figure 38: Monitor > Overview > Application > switch
AX#sh slb l4
Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
TCP out RST L4 proxy 0
TCP out RST ACK attack 0
TCP out RST aFleX 0
TCP out RST stale sess 0
TCP out RST TCP proxy 0
TCP SYN received 1
TCP SYN cookie snt 1
TCP SYN cookie snt fail 0
TCP received 15
UDP received 0
Server sel failure 0
TCP SYN cookie failed 0
No vport drops 0
No SYN pkt drops 0
No SYN pkt drops - FIN 0
No SYN pkt drops - RST 0
No SYN pkt drops - ACK 0
Conn Limit drops 0
Conn Limit resets 0
Proxy no sock drops 0
aFleX drops 0
Session aged out 0
TCP no SLB 0
UDP no SLB 0
SSL SID persist (succ) 0
SSL SID persist (fail) 0
SYN Throttle 0
Misc Error Mask 0
Misc Errors 0
AX#sh slb http
Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 1
HTTP requests 1
No proxy error 0
Client RST 0
Server RST 0
No tuple error 0
Parse req fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Server conn made 1
AX(config)#sh runn | be slb virtual

slb virtual-server vs-ssl 20.20.5.150
port 443 https
source-nat pool natpool
service-group sg-80
template client-ssl clientssl
!
!
!

AX(config)#sh slb virtu vs-ssl
Virtual server: vs-ssl State: All Up IP: 20.20.5.150
Pri Port/State Curr-conn Total-conn Rx-Pkt Tx-Pkt
------------------------------------------------------------------------
Virtual Port:443 / service:sg-80 / state:All Up

port 443 https
1 ssl-server:80/Up 0 1 5 5
Source NAT Pool: natpool SSL Client Template: clientssl
AX(config)#sh slb virtu vs-ssl ?
detail Virtual server details including statistics
<1-65535> virtual port
| Output modifiers
<cr>
AX(config)#sh slb virtu vs-ssl deta
Virtual server name: vs-ssl
Virtual server IP address: 20.20.5.150
Virtual server template: default
Current connection: 0
Total connection: 1
Total forwarded byte: 478
Total forwarded packet: 5
Total received byte: 3333
Total received packet: 5
AX(config)#sh slb service-g sg-80
Service group name: sg-80 State: All Up
Service: ssl-server:80
Request packets: 5 Response packets: 5
Request bytes: 478 Response bytes: 3333
Current connections: 0 Persistent connections: 0
Total connections: 1 Response time: 0.00 msec
AX(config)#sh slb service-g sg-80 ?
WORD service group name
config Service Group configuration
| Output modifiers
<cr>
AX(config)#sh slb server ssl-server
Total Number of Services configured on Server ssl-server: 2
Service Current Total Req-pkt Resp-pkt State/Rsp Time
--------------------------------------------------------------------------------
ssl-server:443/tcp 0 0 0 0 Up 0.00 ms
ssl-server:80/tcp 0 1 5 5 Up 0.00 ms
ssl-server: Total 0 1 5 5 Up
AX(config)#sh slb server ssl-server ?

config Configuration
connection-reuse Connection Reuse Statistics
detail Server details including statistics
<1-65535> Port number
| Output modifiers
<cr>
AX(config)#sh slb server ssl-server det
Server name: ssl-server
Server IP address: 192.168.100.1
State: Up
Server template: default
Health check: default
Current connection: 0
Total connection: 1
Total forwarded byte: 478
Total forwarded packet: 5
Total received byte: 3333
Total received packet: 5
AX(config)#
AX#d axdebug ?
<cr>
AX#axdebug
AX(axdebug)#?
capture Dump packets
clear Clear or Reset Functions
count Maximum packets to capture. Default is 3000
delete Delete a capture file
exit Exit from axdebug mode
filter Global debug filter
incoming Incoming interface
length Packet length to capture
maxfile Maximum number of debug packet files. Default is 100
no Negate a command or set its defaults
outgoing Outgoing interface
show Show Running System Information
timeout Maximum number of minutes for a capture. Default is 5 minutes
write Write Configuration
AX(axdebug)#ccap apture ?
brief Print basic packet information
detail Include packet payload
non-display Do not print to screen
save Save packets into file
AX(axdebug)#capture bei rif ef
Wait for debug output, enter <ctrl c> to exit
i( 5, 0,1100a)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 S 974c4e:0(0)
o( 5, 0,1100a)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 SA 89571844:974c4f(0)
i( 5, 0,1100b)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974c4f:89571845(0)
i( 5, 0,1100c)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974c4f:89571845(142)
o( 5, 0,1100b)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571845:974cdd(0)
o( 5, 0,14555)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89571845:974cdd(1031)
i( 5, 0,1100d)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974cdd:89571c4c(0)
i( 5, 0,1100e)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974cdd:89571c4c(198)
o( 5, 0,1100d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c4c:974da3(0)
o( 5, 0,14554)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89571c4c:974da3(59)
i( 5, 0,1100f)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974da3:89571c87(218)
o( 5, 0,14553)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c87:974e7d(0)
o( 6, 0,14551)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 S 8cfd3ae:0(0)
i( 6, 0, 9d02)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 SA
23e4f456:8cfd3af(0)
o( 6, 0,14550)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A
8cfd3af:23e4f457(0)
o( 6, 0, 9d02)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 PA
8cfd3af:23e4f457(142)
i( 6, 0, 9d01)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 A
23e4f457:8cfd43d(1356)
o( 6, 0,1454f)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A
8cfd43d:23e4f9a3(0)
i( 6, 0, 9d00)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 PA
23e4f9a3:8cfd43d(1356)
o( 5, 0,1454d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c87:974e7d(1368)
o( 5, 0,1454c)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 895721df:974e7d(29)
i( 6, 0, 9cff)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 PA
23e4feef:8cfd43d(353)
o( 6, 0,1454b)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A
8cfd43d:23e50050(0)
o( 5, 0,14549)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 895721fc:974e7d(1368)
o( 5, 0,14548)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89572754:974e7d(29)
i( 5, 0,11010)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7d:895721fc(0)
o( 5, 0,11010)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89572771:974e7d(389)
i( 5, 0,11011)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7d:89572771(0)
i( 5, 0,11012)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 FA 974e7d:895728f6(0)
o( 5, 0,11011)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 FA 895728f6:974e7e(0)
o( 6, 0,14546)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 FA
8cfd43d:23e50050(0)
i( 5, 0,11013)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7e:895728f7(0)
i( 6, 0, 9cfe)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 FA
23e50050:8cfd43e(0)
o( 6, 0,11013)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A
8cfd43e:23e50051(0)
Dump SSL encrypted data
AX#debug packet l3 ip 20.20.5.150

AX#debug ssl
AX#debug http
AX#debug tcp
AX#show debug
debug packet is on
debug tcp-proxy is on
debug http-proxy is on
debug ssl is on
AX#debug mon
Wait for debug output, enter <ctrl c> to exit
i( 5, 0,1109d)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 S 97d96bd2:0(0)
o( 5, 0,1109d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 SA 3dbd5544:97d96bd3(0)
i( 5, 0,1109e)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96bd3:3dbd5545(0)
(51983178) skb(0xa884f700), skb->len 66
(51983178) master sock 0xb1083b50, conn 0x80040b80, conn_tuple 0x80040b80, dir 0 (nil)
(nil)
(51983178) Create a child sock 0xb105c4d0 parent 0xb1083b50
(51983178) TCP Notification 0xb105c4d0 0x1
i( 5, 0,1109f)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA
97d96bd3:3dbd5545(142)
(51983178) skb(0xa884ff00), skb->len 208
o( 5, 0,1109e)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd5545:97d96c61(0)
(51983178) sending len 1031 1368 1368
o( 5, 0, 9c6b)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA
3dbd5545:97d96c61(1031)
i( 5, 0,110a0)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96c61:3dbd594c(0)
(51983179) skb(0xa8850700), skb->len 66
i( 5, 0,110a1)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA
97d96c61:3dbd594c(198)
(51983179) skb(0xa8850f00), skb->len 264
o( 5, 0,110a0)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd594c:97d96d27(0)
(51983179) sending len 59 1368 1368
o( 5, 0, 6fe4)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd594c:97d96d27(59)
(51983179) HTTP proxy process, ev 1, tup 0x80040b80, data (nil)
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 Client connected.
i( 5, 0,110a2)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA
97d96d27:3dbd5987(218)
(51983179) skb(0xa8851700), skb->len 284
o( 5, 0, 6fe3)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd5987:97d96e01(0)
=====decryption start:142=====
GET /tours/index.html HT
TP/1.0..User-Agent: Wget
/1.9+cvs-stable (Red Hat
modified)..Host: 20.20.
5.150..Accept: */*..Conn
ection: Keep-Alive....
=====decryption end=====
(51983179) HTTP proxy process, ev 2, tup 0x80040b80, data 0xa8851700
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 client request enqueue 0xa8851700
(51983179) lb_http_proxy_inspect_client_request
(51983179) HTTP request GET /tours/index.html HTTP/1.0
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 request inspected, forward to
server...
(51983179) lb_http_proxy_forward_request
(51983179) New client tcp established. 0xb105c810 0x83a6898
o( 6, 0, 6fe1)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 S c0325922:0(0)
(51983179) HTTP State Change: HTTP_PROXY_CLIENT_REQUEST->HTTP_PROXY_SERVER_CONNECTING
0x80040c00
i( 6, 0, 2f14)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 SA
b9df9c26:c0325923(0)
(51983179) skb(0xa178a700), skb->len 74
o( 6, 0, 6fe0)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A
c0325923:b9df9c27(0)
(51983179) TCP Notification 0xb105c810 0x5
(51983179) (HTTP_PROXY_SERVER_CONNECTING) 0x80040c00
(51983179) (HTTP_PROXY_SERVER_CONNECTING) 0x80040c00 Server Connected.
(51983179) HTTP send one request, proxy 0x80040c00, 503(0)
(51983179) Forward idempotent request to server..., 0xa8851700
(51983179) sending len 142 1448 1448
o( 6, 0, 2f14)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 PA
c0325923:b9df9c27(142)
(51983179) HTTP State Change: HTTP_PROXY_SERVER_CONNECTING-
>HTTP_PROXY_SERVER_CONNECTED 0x80040c00
i( 6, 0,129b8)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 A
b9df9c27:c03259b1(1356)
(51983179) skb(0xa94dc700), skb->len 1422
o( 6, 0, 6fdf)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A
c03259b1:b9dfa173(0)
(51983179) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa94dc700
(51983179) (HTTP_PROXY_SERVER_CONNECTED) 0x80040c00
(51983179) HTTP State Change: HTTP_PROXY_SERVER_CONNECTED->HTTP_PROXY_SERVER_RESPONSE
0x80040c00
(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00
(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 server resp, http enqueue,
0xa94dc700
(51983179) Find Content-Length: 2975
(51983179) HTTP slow path, running remain_len 1709
(51983179) HTTP response, status 200
=====encryption start:1356=====
HTTP/1.1 200 OK..Content
-length: 2975..Content-T
ype: text/html..Connecti
on: Keep-Alive....<html>
..<head>..<title>Mercury
Tours</title>..<meta ht
tp-equiv="Content-Type"
content="text/html; char
set=iso-8859-1">..</head
>....<body bgcolor="#FFF
FFF" marginwidth=0 margi
nheight=0 topmargin=0 le
ftmargin=0>..<table widt
h="100%" border="0" cell
spacing="0" cellpadding=
"0">.. <tr bgcolor="#00
00CC" align="center"> ..
<td>.. <table w
idth="100%" border="0" c
ellspacing="8" cellpaddi
ng="0">.. <tr ali
gn="center"> ..
<td><img src="Merc10-de
v/images/banner_animated
.gif" width="576" height
="100"></td>.. </
tr>.. </table>..
.. </td>.. </tr>.
. <tr>.. <td>..
<table width="632" bord
er="0" cellspacing="0" c
ellpadding="0">..
<tr>.. <td bgc
olor="#66CCFF" width="12
5" valign="top"><img src
="Merc10-dev/images/sun_
swede.gif" alt=Sun width
=125 height=120> ..
<br clear>..
<form method=get
action=/cgi-bin/login>..
<input typ
e=hidden name=userSessio
n value=75893.0884568651
DQADHfApHDHfcDtccpfAttcf
>.. <center
>.. <tabl
e border=0 height=140>..
<tr>..
<td>
<font size=3> <b>Me
mber name</b></font> ..
<tr>..
<td>.
. <
input type=text name=use
rname value=
=====encryption end=====
(51983179) msg_complete? 0
i( 6, 0, cfc)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 PA
b9dfa173:c03259b1(1356)
(51983179) skb(0xa067e700), skb->len 1422
(51983179) sending len 1397 1368 1368
o( 5, 0, 6fdd)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A
3dbd5987:97d96e01(1368)
o( 5, 0, 6fdc)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd5edf:97d96e01(29)
(51983179) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa067e700
(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 Response from server, forward
'' size=12>..
<tr>..
<td><font size=
3> <b>Password</b><
/font> ..
<tr>..
<td>..
<input type=pas
sword name=password valu
e='' size=12>..
<tr>..
<td align=cen
ter>..
<input type=image na
me=login value=Login alt
=Login border=0 src='Mer
c10-dev/images/login.gif
' width=95 height=25>...
. ..
</table>..
</center>..
<p>..
<input type=h
idden name=JSFormSubmit
value='off'>..
</p>..
<p> </p>..
</form>.. <
/td>.. <td vali
gn="top">.. <
table width="507" border
="0" cellspacing="0" cel
lpadding="0">....
<tr>..
<td>..
<table width=507>
........<img src="images
/banner_merctur.jpg" wid
th=507 height=94>..<br c
lear>..<table width=507>
..<tr><td> <TR><TD>
..<blockquote><font size
=+1>....Welcome to
the Mercury Tours websi
te. To make reservation
s, please enter..your ac
count inform
i( 6, 0, cfb)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 PA
b9dfa6bf:c03259b1(353)
(51983180) skb(0xa067df00), skb->len 419
o( 6, 0, 6fdb)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A
c03259b1:b9dfa820(0)
(51983180) sending len 1397 1368 1368
o( 5, 0, 6fd9)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A
3dbd5efc:97d96e01(1368)
o( 5, 0, 6fd8)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd6454:97d96e01(29)
(51983180) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa067df00
(51983180) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 Response from server, forward
ation to the left. ..<!
-- To sign up with Mercu
ry Tours,..choose a Memb
er Name and Password, th
en click on the 'sign up
' button. -->..</font>..
</blockquote>......
</table>..
</td>..
</tr>..
</table>..
</td>.. </tr>.
. </table>.. </t
d>.. </tr>..</table>..<
/body>..</html>..
(51983180) HTTP State Change: HTTP_PROXY_SERVER_RESPONSE->HTTP_PROXY_CLIENT_REQUEST
0x80040c00
i( 5, 0,110a3)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e01:3dbd5efc(0)
(51983180) skb(0xa8851f00), skb->len 66
(51983180) sending len 389 1368 1368
o( 5, 0,110a3)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA
3dbd6471:97d96e01(389)
i( 5, 0,110a4)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e01:3dbd6471(0)
(51983180) skb(0xa8852700), skb->len 66
i( 5, 0,110a5)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 FA 97d96e01:3dbd65f6(0)
(51983180) skb(0xa8852f00), skb->len 66
(51983180) sk 0xb105c4d0, state 8
o( 5, 0,110a4)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 FA 3dbd65f6:97d96e02(0)
(51983180) sk 0xb105c810, state 1
o( 6, 0, 6fd6)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 FA
c03259b1:b9dfa820(0)
i( 5, 0,110a6)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e02:3dbd65f7(0)
(51983180) skb(0xa8853700), skb->len 66
(51983180) Destruction of the TCP socket 0xb105c4d0 delayed, refcnt=2
i( 6, 0, cfa)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 FA
b9dfa820:c03259b2(0)
(51983180) skb(0xa067d700), skb->len 66
o( 6, 0,110a6)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A
c03259b2:b9dfa821(0)
(51983180) Destruction of the TCP socket 0xb105c810 delayed, refcnt=2
Things to do before calling tech support.
If problem is reproducible, then
1. Issue show tech

2. Create issue
3. Issue show tech
4. Send both show tech to support@a10networks.com
If problem happens already and you already rebooted the system, then
1. Issue show tech

2. Issue backup log
3. Send both show tech and backup log to support@a10networks.com

A10 AX Training Booklet 032010

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 AX Training Booklet 032010

Uploaded by

Copyright:

Available Formats

Contents

Training Labs ................................................................................................................................ 3

A10 Networks Confidential Information

login as: admin

[type ? for help]

A10 Networks Confidential Information 3

Figure 1: Login Screen

A10 Networks Confidential Information 4

AX(config-real server)#show slb server

A10 Networks Confidential Information 5

Adding Service Ports

AX(config)#slb server web1

AX(config-real server-node port)#show slb server

A10 Networks Confidential Information 6

Adding A Service Group

AX(config)#slb service-group web_group tcp

AX(config-slb svc group)#show slb service-group

A10 Networks Confidential Information 7

Configuring IP NAT Pools

AX(config)#ip nat pool source_nat1 192.168.18.151 192.168.18.151 netmask /24

AX(config)#show ip nat pool

Total IP NAT Pools: 1

Pool Name Start Address End Address Mask Gateway HA Group

source_nat1 192.168.18.151 192.168.18.151 /24 0.0.0.0 0

A10 Networks Confidential Information 8

Figure 6: Config > Service > IP Source NAT > Add

Creating a Virtual Server and IP (VIP)

AX(config)#slb virtual-server main_vip 192.168.18.101

AX(config-slb vserver)#port 80 http

A10 Networks Confidential Information 9

AX(config-slb vserver-vport)#show slb virtual-server

Figure 7: Config > Service > SLB > Virtual Server

A10 Networks Confidential Information 10

A10 Networks Confidential Information 11

Creating A Health Monitor

AX#show slb server config

web2:80/tcp 192.168.18.202 Default Enable 1000000 1

AX(config)#health monitor http-default

AX(config-health:monitor)#show health monitor http-default

A10 Networks Confidential Information 12

Using The Health Monitor

AX(config)#slb server web1

A10 Networks Confidential Information 13

AX(config-real server-node port)#show health monitor

AX(config-real server-node port)#show slb server config

web2:80/tcp 192.168.18.202 Default Enable 1000000 1

AX(config-real server-node port)#show slb server

Health Monitor Failures & Service Down

AX(config)#health monitor http-hm interval 5 retry 1

A10 Networks Confidential Information 15

AX(config)#slb server web1

AX(config-real server-node port)#show slb server

A10 Networks Confidential Information 16

Server Versus Service Port Status

More HTTP Health Monitor Options

AX(config)#health monitor http-hm

AX(config-real server-node port)#show slb server

A10 Networks Confidential Information 17

AX(config)#health monitor http-hm

AX(config-health:monitor)#show slb server

AX(config)#health monitor http-hm

The service port should come back up once again.

AX(config-health:monitor)#show slb server