Professional Documents
Culture Documents
Managing your AX
Your AX unit has been pre-configured with your assigned IP address. Each student has also
been assigned an IP address for their laptop client (refer to the PowerPoint presentation or ask
your instructor).
Configure your laptop client with the appropriate IP address and access the AX’s CLI using
SSH/Telnet from your laptop. Use the default login name “admin” and default password “a10” to
log in.
AX>
AX>enable
Password:
AX#
You are now ready to start configuring your AX unit. At any time, you can use the question mark
(?) in the CLI to get help text, and the Tab key for command auto-completion.
GUI Example:
Adding Servers to AX
There are two web servers on the classroom’s lab network with IP addresses 192.168.18.201
and 192.168.18.202.
In order to load balance traffic to these servers, you must first add them to the AX. To configure
the AX, you must enter config mode. Once in config mode, add the first server using the
commands show below.
AX#config
AX(config)#slb server web1 192.168.18.201
AX(config-real server)#
You can confirm that your servers have been added using the “show slb server” command.
web2: Total 0 0 0 0 Up
GUI Example:
Figure 2: Config > Service > SLB > Server > Add
Now add TCP port 80 as a service port for the server “web2” as well.
You can confirm the service ports have been added using the “show slb server” command
again.
web2:80/tcp 0 0 0 0 Up
web2: Total 0 0 0 0 Up
Figure 4: Config > Service > SLB > Server (Add the Port Details)
Create a new TCP service group named “web_group” and add the two web servers’ service port
80 as members of the group using the commands below.
Confirm the service group configuration using the “show slb service-group” command.
GUI Example:
Figure 5: Config > Service > SLB > Server Group (Add the two servers in the Service Group)
Add an IP NAT pool named “source_nat1” using the commands below and replace the IP
address with your assigned IP. For the purposes of this lab, the start and end addresses are the
same (i.e. an IP NAT pool consisting of a single IP address).
Confirm your configured IP NAT pool using the “show ip nat pool” command.
-----------------------------------------------------------------------------------
GUI Example:
Use the commands below to create a virtual server named “main_vip” and replace the IP with
the address assigned by your instructor.
Once the VIP is configured, you can add a virtual service port for load balancing. In this lab, we
will configure a virtual HTTP web service load balanced across our two servers.
Use the commands below to create the virtual HTTP service port that will use the service group
“web_group” and IP NAT pool “source_nat1” for source NAT load balancing.
Congratulations! You are now ready to send traffic to your AX. Use a web browser on your
laptop and access your VIP. Browse the test website and watch your traffic get load balanced
across the two web servers. Use the “show” commands you tried in the above steps to take a
look at the statistics.
GUI Example:
Figure 9: Config > Service > SLB > Virtual Server (Port Added)
Now you will configure a HTTP health monitor for the servers’ web service port.
Create a health monitor named “http-default” that uses the HTTP health check method with the
following commands.
This creates a health monitor that uses the default parameters for the HTTP method. You can
view the details using the “show health monitor http-default” command.
GUI Example:
Now that you have created a health monitor, it needs to be used. The following commands will
associate the health monitor you just created to the TCP 80 service port of server “web1”.
GUI Example:
Check that the health monitor is now in use with the below commands.
Since our web servers are running and there is a page available at the HTML root, this health
monitor will not change the server’s status (as seen below).
web2:80/tcp 0 0 0 0 Up
web2: Total 0 0 0 0 Up
Let’s create another health monitor to demonstrate how health check failures will bring a
server/service port status down.
GUI Example:
Since this page does not exist on the web servers in our classroom lab, the health monitor will
return failure. Use it on server “web1” and observe what happens.
After several seconds, the service port’s status will become down.
web2:80/tcp 0 0 0 0 Up
web2: Total 0 0 0 0 Up
GUI Example:
Try sending some requests to the AX VIP using your laptop’s web browser. You will notice that
the requests are no longer load balanced to server “web1” because its service port is down.
A health-check failure at the service port level will bring that particular service port down.
However, a failure at the server level will bring all service ports on that server down (even if the
service port health-check is successful).
Modify the “http-hm” health monitor to send a HEAD request for the “axseries.html” page.
Since the page “axseries.html” exists on the server, the health-check should be successful and
the service port should come back up.
web2:80/tcp 0 0 0 0 Up
web2: Total 0 0 0 0 Up
Your requests to the VIP should be load balanced to both web servers again.
Now let’s try using the “expect” option with a HTTP GET request. Modify the “http-hm” health
monitor to send an HTTP GET request for the “axseries.html” page and include an expect
option for the text “abcdefg”.
Since “abcdefg” does not appear anywhere on the requested page, your service port should go
down again.
web2:80/tcp 0 0 0 0 Up
web2: Total 0 0 0 0 Up
Now modify the health monitor to expect a string that does appear in the page. Change the
expect option to look for the string “ACOS”.
web2:80/tcp 0 0 0 0 Up
web2: Total 0 0 0 0 Up
Congratulations! You now have a solid understanding of how health monitors are created and
used. If you have time, explore the other options and health monitor methods available.
Lab #3 – Templates
In this lab you will create HTTP and Persist templates that will be used to change the way AX
load balances incoming requests.
You should now have a total of three service groups as shown below.
The “url-switching” option allows you to configure rules used to select different service groups
based on the URL requested.
AX(config-http)#url-switching ?
contains Select service group if URL string contains another string
ends-with Select service group if URL string ends with another string
match Deprecated. Same as contains
starts-with Select service group if URL string starts with another string
GUI Example:
Figure 14: Config > Service > Templates > Application > Http (Adding Http template)
Now that you have created your HTTP template, let’s use it on our virtual server to see it in
action.
GUI Example:
A10 Networks Confidential Information 22
Figure 16: Config > Service > SLB > Virtual Server > vip0, Port 80 (Adding http template)
Use your laptop’s web browser to go to your virtual server IP address (e.g.
http://192.168.1.101/)
You can confirm which service group was used using the “show slb service-group” command on
AX. Notice that the first request (i.e. HTTP GET “/”) uses the original service group “web_group”
because it does not match any of our URL switching rules. But the subsequent requests for the
images on the front page are sent to the service group “web_images”.
Figure 18: Monitor > Service > SLB > Service Group (Subsequent Reqs goes to web-images)
You can also use the “show slb http debug” command to see which switching method was used.
Browse the simple test website by clicking the hyperlinks. You should see requests being sent
to the service group “web_html”.
Now we will move on to a different type of template that modifies the way AX selects a server
for load balancing; persist templates.
GUI Example:
Now remove the HTTP template and apply the source IP persist template to your virtual port.
GUI Example:
A10 Networks Confidential Information 26
Figure 20: Config > Service > SLB > Virtual Server
Use your laptop to browse our simple test web site again. You should notice that all the
requests are sent to one of the web servers.
To view which source IP’s are currently persisting to a server, use the “show session persist”
command.
The “Age” value shows how long AX will continue to persist to the server selected. The age will
be refreshed each time the same source IP sends a request to the virtual port. When the
persistent session ages out, AX will perform server selection again.
The default value is 300 seconds (5 minutes). This value can be modified as one of the template
options.
The “clear session persist” command will clear all persistent sessions. Try using this command
and then browse the website again.
GUI Example:
Figure 21: Config > Service > Templates > Persistent > Cookie Persistent
The “name” option allows you to specify a custom cookie name to be used. The default cookie
name will be something similar to “sto-id-20480”.
The “expire” option sets the expiration of the cookie. In this example, the cookie will expire 1800
seconds (30 minutes) after the browser first receives it from AX. Setting a value of 0 seconds
means the cookie will expire immediately after the current session is over (i.e. a session
cookie). If the option is not configured the default expiration is 10 years.
Remove the source IP persist template and apply the cookie persist template with the
commands below.
GUI Example:
Figure 22: Config > Service > SLB > Virtual Server
Visit the test website again and check your browser’s cookies. You should see the cookie
inserted by AX. You should also notice that once again your requests are persisting to the same
server.
You can use the “show slb http debug” command again to see what type of switching is being
used. This time, you should see the counters for “Cookie switching” being incremented.
------------------------------------------------------------------
Cookie switching 0 0 1 1 2
Try clearing your browser’s cookies and visit the site again to see a new server selected.
For the purposes of this lab, the certificate and key files have been placed on server “web1”
(192.168.1.201) and we will be importing them via SCP using the following commands. The
login and password are both “a10”.
You can view the certificates and keys that have been imported to AX using the command
below.
name: my_key
type: key
key size: 1024
Now that you have successfully imported the certificate and key to AX, we are ready to create
the templates to use them.
GUI Example:
A10 Networks Confidential Information 30
Figure 23: Config > Service > Template > Client SSL
GUI Example:
Since AX will be performing SSL acceleration (handshake, encryption, and decryption) with the
clients, our backend connections to the servers can be made unencrypted through port 80.
Use the service group “web_group” you configured previously on the HTTPS virtual service port.
We will also require the previously configured source NAT pool “source_nat1”.
You are now ready to test AX’s SSL acceleration. Use your web browser to hit the VIP using the
HTTPS protocol (e.g. https://192.168.18.101). Your browser will most likely give you a warning
You can check your SSL statistics using the command below.
192.168.18.11/32 1
192.168.18.12/32 2
192.168.18.13/32 1
192.168.18.14/32 2
192.168.18.15/32 1
192.168.18.16/32 2
192.168.18.17/32 1
192.168.18.18/32 2
192.168.18.19/32 1
192.168.18.20/32 2
Import the black/white list using the following command. The login and password are the same
as the previous lab, both are “a10”.
The “show bw-list” command can be used to show the lists currently on AX. You should see the
list you just imported.
AX(config)#show bw-list
Name Url Size(Byte) Date
--------------------------------------------------------------------------------
odd-even Local 144 Feb/19 12:14:32
Now you are ready to define some policies to use with this list.
In Lab #3 (Templates) you created two service groups named “web_html” and “web_images”.
We will be reusing these groups in this lab. You may remember that each service group
contains only one of our web servers (web_html = web1, web_images = web2).
First, remove any other templates that may have been left over from previous labs on your
HTTP virtual service port. Simply prefix the command with the keyword “no”. The example
below shows how to remove the cookie persist template we configured in our previous lab.
Now add the black/white list to our virtual HTTP port using the following command.
Also configure the policies that will select the appropriate service group based on the group ID
in the black/white list.
Browse the website with your partner. You should notice that all of your requests are sent to one
of the servers, and your partner’s requests are sent to the other server.
Try the “show pbslb” command to view the PBSLB statistics. Sample output is shown below.
AX#show pbslb
Total number of PBSLB configured: 1
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
--------------------------------------------------------------------------------
main_vip 80 odd-even 1 6 0 0
2 7 0 0
Also check that the policy is working. You and your partner’s requests should have been sent to
the “web_html” and “web_images” service groups.
Now try browsing the website again. Students with IP addresses belonging to group 1 should no
longer be able to fetch pages. Below is a sample screenshot from Firefox.
Using the “show pbslb” command again, you can see the “Reset” counter for group ID 1
increment.
AX#show pbslb
Total number of PBSLB configured: 1
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
--------------------------------------------------------------------------------
main_vip 80 odd-even 1 6 3 0
2 7 0 0
Lab #6 – aFleX
In this lab you will use different aFleX scripts to change how AX load balances traffic to our test
website. For the purposes of this lab, the aFleX scripts have been created in advance and your
instructor will go over each in detail during the lab.
Use the “show aflex” command to display the aFleX scripts that have been imported onto the
AX.
AX(config)#show aflex
Total aFleX number: 1
Max aFleX file size: 32K
Name Syntax Virtual port
------------------------------------------------------------
a1 Check No
Providing the aFleX name displays more details and the content of the aFleX script. Try it now
with the “a1” aFleX script.
AX#show aflex a1
Name: a1
Syntax: Check
Virtual port: No
Content:
when CLIENT_ACCEPTED {
pool web_html
}
This is a simple aFleX script that causes AX to always load balance to the service group
“web_html” .
GUI Example:
Now add the aFleX script “a1” to the virtual service port using the commands shown below.
GUI Example:
Figure 27: Config > Service > SLB > Virtual Server
The virtual server’s configuration should now have the aFleX script “a1” added to the virtual port
80 HTTP service port.
Notice that the “show aflex” command’s output has changed to show that the script “a1” is in
use (has been “bound” to a virtual port).
AX#show aflex
Total aFleX number: 1
Max aFleX file size: 32K
Name Syntax Virtual port
------------------------------------------------------------
a1 Check Bind
Use your web browser to visit our test website again. Use the “show slb service-group”
command to verify the aFleX script is working (i.e. all the requests are being sent to the
“web_html” service group).
Try using the “show aflex <name>” command to see the number of times the aFleX script was
executed and check if there were any errors or aborts.
AX#show aflex a1
Name: a1
Syntax: Check
GUI Example:
Figure 28: Monitor > Service > aFlex
Use the command shown below to view the details of the aFleX script.
AX(config)#show aflex a2
Name: a2
Syntax: Check
Virtual port: Bind
main_vip: 80
Statistics:
Event HTTP_REQUEST execute 7 times (0 failures, 0 aborts)
Content:
when HTTP_REQUEST {
if {[HTTP::uri] ends_with "html" } {
This aFleX script emulates the URL switching used in the HTTP template lab.
∞ The aFleX checks the request URI using the command “[HTTP::uri]”
∞ If the URI ends with “html” it selects the “web_html” service group.
∞ If the URI ends with “jpg” of “gif” it selects the “web_images” service group.
In addition, we use the aFleX command “log” to log a message for each of the cases covered
above.
Remove the aFleX “a1” from the virtual port and add aFleX “a2”.
Browse the test website and use the “show slb service-group” and “show log” commands to
verify the aFleX is working. You should see log messages similar to those shown below using
the “show log” command.
AX(config)#show log
Log Buffer: 30000
Feb 19 2009 18:37:14 Info [AFLEX]:Redirect request /exseries-index-banner.gif to
IMAGES service group
Feb 19 2009 18:37:14 Info [AFLEX]:Redirect request /exseries.html to HTML service
group
Feb 19 2009 18:37:13 Info [AFLEX]:Redirect request /axseries-platform-advantage.jpg
to IMAGES service group
Feb 19 2009 18:37:13 Info [AFLEX]:Redirect request /axseries.html to HTML service
group
Feb 19 2009 18:37:00 Info [AFLEX]:Redirect request /index-mast-090126c.jpg to
IMAGES service group
GUI Example:
Figure 29: Monitor > System > logging
You will learn the various show and clear commands associated with compression and how to
troubleshoot when you see problems.
GUI Example:
Figure 30: Config > Service > Template > Http> Create
The virtual server’s configuration should now have the HTTP template “compress” added to the
virtual port 80 HTTP service port.
Note: you may have to do a no command on the 2 previous members you had defined earlier
before you can add the new members.
Now, use your laptop’s web browser to go to your virtual server IP address and fetch the file
index.html (e.g. http://192.168.18.101/)
Look at what has happened on the AX by doing a show command as shown below
GUI Example:
A10 Networks Confidential Information 48
Figure 33: Monitor > Service > Proxy
Look at what has happened on the AX by doing a show command as shown below
You will learn the various show and clear commands associated with RAM caching and how to
troubleshoot when you see problems.
GUI Example:
Figure 34: Config > Template > Application > Ram Caching > Create
Here, we are changing the age of the cache in the template from the default 3600 seconds to
300 seconds. We are also specifying the minimum size of the content to be cache as 50bytes.
Now add the cache template ramcache to the virtual service port using the commands shown
below.
The virtual server’s configuration should now have the cache template “ramcache” added to the
virtual port 80 HTTP service port.
Look at the current state of the cache on your virtual port by doing the show command given
below.
GUI Example:
Figure 35: Monitor > Service > Application > RAM Caching
Now, use your laptop’s web browser to go to your virtual server IP address and fetch the file
index.html (e.g. http://192.168.18.101/index.html )
Look at what has happened on the AX by doing a show command again as shown below
As you can see, the cache has 3 entries. Two of the objects are images (JPEGs) and they have
been cached for 1000 seconds. The other is the HTML file index.html and it has been cached
for 60000 seconds. Both entries are fresh (FR).
Now, clear the cached entries from the browser by going to the appropriate menu and doing a
“Delete Browsing History” if you are using IE or the equivalent command for your browser of
choice. You will need to do this, otherwise the browser will just pick up the object from its local
cache instead of requesting it from the AX on the subsequent request.
Now, clear your cache entries using the command shown below.
Now, clear you browser cache as previously described and hit the url
http://192.168.18.101/index.html again.
Notice how this time only 2 objects are in the cache. Also notice how the time that /index.html is
cached is now 8000 seconds.
GUI Example:
Figure 36: Monitor > Overview> Summary
While system is booting up at the BIOS, hit F2 to see boot menu. Useful if HD can not
boot and you need to boot from CF.
Manufacturing reset
Welcome to AX
AX login: reset
Password: AX22231107390014
AX Debugging lab
AX#sh stat
Port Good Rcv Good Sent Bcast Rcv Bcast Sent Errors
---------------------------------------------------------------------------
1 41 0 14 0 0
2 0 0 0 0 0
3 0 0 0 0 0
4 0 0 0 0 0
5 0 8720 0 8720 0
6 33463 66384 0 9149 0
7 0 0 0 0 0
9 0 0 0 0 0
10 0 0 0 0 0
GUI Example:
GUI Example:
Figure 38: Monitor > Overview > Application > switch
AX#sh slb l4
Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
TCP out RST L4 proxy 0
TCP out RST ACK attack 0
TCP out RST aFleX 0
TCP out RST stale sess 0
TCP out RST TCP proxy 0
TCP SYN received 1
TCP SYN cookie snt 1
TCP SYN cookie snt fail 0
TCP received 15
UDP received 0
Server sel failure 0
A10 Networks Confidential Information 60
Source NAT failure 0
TCP SYN cookie failed 0
No vport drops 0
No SYN pkt drops 0
No SYN pkt drops - FIN 0
No SYN pkt drops - RST 0
No SYN pkt drops - ACK 0
Conn Limit drops 0
Conn Limit resets 0
Proxy no sock drops 0
aFleX drops 0
Session aged out 0
TCP no SLB 0
UDP no SLB 0
SSL SID persist (succ) 0
SSL SID persist (fail) 0
SYN Throttle 0
Misc Error Mask 0
Misc Errors 0
AX#sh slb http
Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 1
HTTP requests 1
HTTP requests(succ) 1
No proxy error 0
Client RST 0
Server RST 0
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 1
Source NAT failure 0
Tot data before compress 0
Tot data after compress 0
AX#d axdebug ?
<cr>
AX#axdebug
AX(axdebug)#?
capture Dump packets
clear Clear or Reset Functions
count Maximum packets to capture. Default is 3000
delete Delete a capture file
exit Exit from axdebug mode
filter Global debug filter
incoming Incoming interface
length Packet length to capture
maxfile Maximum number of debug packet files. Default is 100
no Negate a command or set its defaults
outgoing Outgoing interface
show Show Running System Information
timeout Maximum number of minutes for a capture. Default is 5 minutes
write Write Configuration
AX(axdebug)#ccap apture ?
brief Print basic packet information
detail Include packet payload
non-display Do not print to screen
save Save packets into file
AX(axdebug)#capture bei rif ef
Wait for debug output, enter <ctrl c> to exit
i( 5, 0,1100a)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 S 974c4e:0(0)
o( 5, 0,1100a)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 SA 89571844:974c4f(0)
i( 5, 0,1100b)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974c4f:89571845(0)
i( 5, 0,1100c)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974c4f:89571845(142)
o( 5, 0,1100b)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571845:974cdd(0)
o( 5, 0,14555)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89571845:974cdd(1031)
i( 5, 0,1100d)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974cdd:89571c4c(0)
i( 5, 0,1100e)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974cdd:89571c4c(198)
o( 5, 0,1100d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c4c:974da3(0)
o( 5, 0,14554)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89571c4c:974da3(59)
i( 5, 0,1100f)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974da3:89571c87(218)
o( 5, 0,14553)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c87:974e7d(0)
o( 6, 0,14551)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 S 8cfd3ae:0(0)
i( 6, 0, 9d02)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 SA
23e4f456:8cfd3af(0)
A10 Networks Confidential Information 63
o( 6, 0,14550)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A
8cfd3af:23e4f457(0)
o( 6, 0, 9d02)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 PA
8cfd3af:23e4f457(142)
i( 6, 0, 9d01)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 A
23e4f457:8cfd43d(1356)
o( 6, 0,1454f)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A
8cfd43d:23e4f9a3(0)
i( 6, 0, 9d00)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 PA
23e4f9a3:8cfd43d(1356)
o( 5, 0,1454d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c87:974e7d(1368)
o( 5, 0,1454c)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 895721df:974e7d(29)
i( 6, 0, 9cff)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 PA
23e4feef:8cfd43d(353)
o( 6, 0,1454b)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A
8cfd43d:23e50050(0)
o( 5, 0,14549)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 895721fc:974e7d(1368)
o( 5, 0,14548)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89572754:974e7d(29)
i( 5, 0,11010)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7d:895721fc(0)
o( 5, 0,11010)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89572771:974e7d(389)
i( 5, 0,11011)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7d:89572771(0)
i( 5, 0,11012)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 FA 974e7d:895728f6(0)
o( 5, 0,11011)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 FA 895728f6:974e7e(0)
o( 6, 0,14546)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 FA
8cfd43d:23e50050(0)
i( 5, 0,11013)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7e:895728f7(0)
i( 6, 0, 9cfe)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 FA
23e50050:8cfd43e(0)
o( 6, 0,11013)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A
8cfd43e:23e50051(0)
AX#show debug
debug packet is on
debug tcp-proxy is on
debug http-proxy is on
debug ssl is on
AX#debug mon
Wait for debug output, enter <ctrl c> to exit
i( 5, 0,1109d)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 S 97d96bd2:0(0)
o( 5, 0,1109d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 SA 3dbd5544:97d96bd3(0)
i( 5, 0,1109e)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96bd3:3dbd5545(0)
(51983178) skb(0xa884f700), skb->len 66
(51983178) master sock 0xb1083b50, conn 0x80040b80, conn_tuple 0x80040b80, dir 0 (nil)
(nil)
(51983178) Create a child sock 0xb105c4d0 parent 0xb1083b50
A10 Networks Confidential Information 64
(51983178) TCP Notification 0xb105c4d0 0x1
i( 5, 0,1109f)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA
97d96bd3:3dbd5545(142)
(51983178) skb(0xa884ff00), skb->len 208
o( 5, 0,1109e)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd5545:97d96c61(0)
(51983178) TCP Notification 0xb105c4d0 0x2
(51983178) sending len 1031 1368 1368
o( 5, 0, 9c6b)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA
3dbd5545:97d96c61(1031)
i( 5, 0,110a0)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96c61:3dbd594c(0)
(51983179) skb(0xa8850700), skb->len 66
(51983179) TCP Notification 0xb105c4d0 0x4
i( 5, 0,110a1)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA
97d96c61:3dbd594c(198)
(51983179) skb(0xa8850f00), skb->len 264
o( 5, 0,110a0)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd594c:97d96d27(0)
(51983179) TCP Notification 0xb105c4d0 0x2
(51983179) sending len 59 1368 1368
o( 5, 0, 6fe4)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd594c:97d96d27(59)
(51983179) HTTP proxy process, ev 1, tup 0x80040b80, data (nil)
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 Client connected.
i( 5, 0,110a2)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA
97d96d27:3dbd5987(218)
(51983179) skb(0xa8851700), skb->len 284
o( 5, 0, 6fe3)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd5987:97d96e01(0)
(51983179) TCP Notification 0xb105c4d0 0x6
=====decryption start:142=====
GET /tours/index.html HT
TP/1.0..User-Agent: Wget
/1.9+cvs-stable (Red Hat
modified)..Host: 20.20.
5.150..Accept: */*..Conn
ection: Keep-Alive....
=====decryption end=====
(51983179) HTTP proxy process, ev 2, tup 0x80040b80, data 0xa8851700
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 client request enqueue 0xa8851700
(51983179) lb_http_proxy_inspect_client_request
(51983179) HTTP request GET /tours/index.html HTTP/1.0
(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 request inspected, forward to
server...
(51983179) lb_http_proxy_forward_request
(51983179) New client tcp established. 0xb105c810 0x83a6898
o( 6, 0, 6fe1)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 S c0325922:0(0)
(51983179) HTTP State Change: HTTP_PROXY_CLIENT_REQUEST->HTTP_PROXY_SERVER_CONNECTING
0x80040c00
i( 6, 0, 2f14)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 SA
b9df9c26:c0325923(0)
(51983179) skb(0xa178a700), skb->len 74
o( 6, 0, 6fe0)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A
c0325923:b9df9c27(0)
(51983179) TCP Notification 0xb105c810 0x5
(51983179) HTTP proxy process, ev 1, tup 0x80040b98, data (nil)
A10 Networks Confidential Information 65
(51983179) (HTTP_PROXY_SERVER_CONNECTING) 0x80040c00
(51983179) (HTTP_PROXY_SERVER_CONNECTING) 0x80040c00 Server Connected.
(51983179) HTTP send one request, proxy 0x80040c00, 503(0)
(51983179) Forward idempotent request to server..., 0xa8851700
(51983179) sending len 142 1448 1448
o( 6, 0, 2f14)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 PA
c0325923:b9df9c27(142)
(51983179) HTTP State Change: HTTP_PROXY_SERVER_CONNECTING-
>HTTP_PROXY_SERVER_CONNECTED 0x80040c00
i( 6, 0,129b8)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 A
b9df9c27:c03259b1(1356)
(51983179) skb(0xa94dc700), skb->len 1422
o( 6, 0, 6fdf)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A
c03259b1:b9dfa173(0)
(51983179) TCP Notification 0xb105c810 0x6
(51983179) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa94dc700
(51983179) (HTTP_PROXY_SERVER_CONNECTED) 0x80040c00
(51983179) HTTP State Change: HTTP_PROXY_SERVER_CONNECTED->HTTP_PROXY_SERVER_RESPONSE
0x80040c00
(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00
(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 server resp, http enqueue,
0xa94dc700
(51983179) Find Content-Length: 2975
(51983179) HTTP slow path, running remain_len 1709
(51983179) HTTP response, status 200
=====encryption start:1356=====
HTTP/1.1 200 OK..Content
-length: 2975..Content-T
ype: text/html..Connecti
on: Keep-Alive....<html>
..<head>..<title>Mercury
Tours</title>..<meta ht
tp-equiv="Content-Type"
content="text/html; char
set=iso-8859-1">..</head
>....<body bgcolor="#FFF
FFF" marginwidth=0 margi
nheight=0 topmargin=0 le
ftmargin=0>..<table widt
h="100%" border="0" cell
spacing="0" cellpadding=
"0">.. <tr bgcolor="#00
00CC" align="center"> ..
<td>.. <table w
idth="100%" border="0" c
ellspacing="8" cellpaddi
ng="0">.. <tr ali
gn="center"> ..
<td><img src="Merc10-de
v/images/banner_animated
.gif" width="576" height
="100"></td>.. </
tr>.. </table>..
.. </td>.. </tr>.
A10 Networks Confidential Information 66
. <tr>.. <td>..
<table width="632" bord
er="0" cellspacing="0" c
ellpadding="0">..
<tr>.. <td bgc
olor="#66CCFF" width="12
5" valign="top"><img src
="Merc10-dev/images/sun_
swede.gif" alt=Sun width
=125 height=120> ..
<br clear>..
<form method=get
action=/cgi-bin/login>..
<input typ
e=hidden name=userSessio
n value=75893.0884568651
DQADHfApHDHfcDtccpfAttcf
>.. <center
>.. <tabl
e border=0 height=140>..
<tr>..
<td>
<font size=3> <b>Me
mber name</b></font> ..
<tr>..
<td>.
. <
input type=text name=use
rname value=
=====encryption end=====
(51983179) msg_complete? 0
i( 6, 0, cfc)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 PA
b9dfa173:c03259b1(1356)
(51983179) skb(0xa067e700), skb->len 1422
(51983179) TCP Notification 0xb105c810 0x2
(51983179) sending len 1397 1368 1368
o( 5, 0, 6fdd)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A
3dbd5987:97d96e01(1368)
o( 5, 0, 6fdc)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd5edf:97d96e01(29)
(51983179) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa067e700
(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00
(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 Response from server, forward
=====encryption start:1356=====
'' size=12>..
<tr>..
<td><font size=
3> <b>Password</b><
/font> ..
<tr>..
<td>..
<input type=pas
sword name=password valu
e='' size=12>..
<tr>..
A10 Networks Confidential Information 67
<td align=cen
ter>..
<input type=image na
me=login value=Login alt
=Login border=0 src='Mer
c10-dev/images/login.gif
' width=95 height=25>...
. ..
</table>..
</center>..
<p>..
<input type=h
idden name=JSFormSubmit
value='off'>..
</p>..
<p> </p>..
</form>.. <
/td>.. <td vali
gn="top">.. <
table width="507" border
="0" cellspacing="0" cel
lpadding="0">..<!--...
<tr>..
<td><img src="pics/ban
ner_merctur.jpg" width="
507" height="94"></td>..
. </tr>..-->..
<tr>..
<td>..
<table width=507>
........<img src="images
/banner_merctur.jpg" wid
th=507 height=94>..<br c
lear>..<table width=507>
..<tr><td> <TR><TD>
..<blockquote><font size
=+1>..<!--.. Welcome to
the Mercury Tours websit
e. To make reservations
,.. please enter your ac
count information to the
left. ..-->..Welcome to
the Mercury Tours websi
te. To make reservation
s, please enter..your ac
count inform
=====encryption end=====
(51983180) msg_complete? 0
i( 6, 0, cfb)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 PA
b9dfa6bf:c03259b1(353)
(51983180) skb(0xa067df00), skb->len 419
o( 6, 0, 6fdb)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A
c03259b1:b9dfa820(0)
(51983180) TCP Notification 0xb105c810 0x2
A10 Networks Confidential Information 68
(51983180) sending len 1397 1368 1368
o( 5, 0, 6fd9)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A
3dbd5efc:97d96e01(1368)
o( 5, 0, 6fd8)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd6454:97d96e01(29)
(51983180) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa067df00
(51983180) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00
(51983180) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 Response from server, forward
=====encryption start:353=====
ation to the left. ..<!
-- To sign up with Mercu
ry Tours,..choose a Memb
er Name and Password, th
en click on the 'sign up
' button. -->..</font>..
</blockquote>......
</table>..
</td>..
</tr>..
</table>..
</td>.. </tr>.
. </table>.. </t
d>.. </tr>..</table>..<
/body>..</html>..
=====encryption end=====
(51983180) msg_complete? 1
(51983180) HTTP State Change: HTTP_PROXY_SERVER_RESPONSE->HTTP_PROXY_CLIENT_REQUEST
0x80040c00
i( 5, 0,110a3)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e01:3dbd5efc(0)
(51983180) skb(0xa8851f00), skb->len 66
(51983180) TCP Notification 0xb105c4d0 0x4
(51983180) sending len 389 1368 1368
o( 5, 0,110a3)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA
3dbd6471:97d96e01(389)
i( 5, 0,110a4)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e01:3dbd6471(0)
(51983180) skb(0xa8852700), skb->len 66
(51983180) TCP Notification 0xb105c4d0 0x4
i( 5, 0,110a5)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 FA 97d96e01:3dbd65f6(0)
(51983180) skb(0xa8852f00), skb->len 66
(51983180) TCP Notification 0xb105c4d0 0x6
(51983180) HTTP proxy process, ev 3, tup 0x80040b80, data (nil)
(51983180) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00
(51983180) sk 0xb105c4d0, state 8
o( 5, 0,110a4)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 FA 3dbd65f6:97d96e02(0)
(51983180) sk 0xb105c810, state 1
o( 6, 0, 6fd6)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 FA
c03259b1:b9dfa820(0)
i( 5, 0,110a6)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e02:3dbd65f7(0)
(51983180) skb(0xa8853700), skb->len 66
(51983180) Destruction of the TCP socket 0xb105c4d0 delayed, refcnt=2
i( 6, 0, cfa)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 FA
b9dfa820:c03259b2(0)
(51983180) skb(0xa067d700), skb->len 66
o( 6, 0,110a6)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A
c03259b2:b9dfa821(0)
A10 Networks Confidential Information 69
(51983180) Destruction of the TCP socket 0xb105c810 delayed, refcnt=2
If problem happens already and you already rebooted the system, then