a10 thunder series and ax series - blcr thunder series and ax series—release notes contents a10...

RELEASE NOTES

A10 Thunder Series and AX Series

ACOS 4.0.3-P1

5 February 2016

© 2016 A10 Networks, Inc. Confidential and Proprietary - All Rights Reserved

Information in this document is subject to change without notice.

Patent Protection

A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:

https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking.

Trademarks

The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, Affinity, aFleX, aFlow, aGalaxy, aGAPI, aVCS, AX, aXAPI, IDsentrie, IP-to-ID, SSL Insight, SSLi, Thunder, Thunder TPS, UASG, and vThunder are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners.

Confidentiality

This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc.

A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Soft-ware as confidential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in this document or available separately. Customer shall not:

1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means

2. sublicense, rent or lease the Software.

Disclaimer

This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this publication are based on the latest information available; however, specifications are sub-ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and conditions.

Environmental Considerations

Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-ponents in your area.

Further Information

For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-tion, which can be found by visiting www.a10networks.com.

http://www.a10networks.com

| Document No.: 403-P1-REL-001 - 2/5/2016 A10 Networks, Inc. Proprietary and Confidential

Table of Contents

What’s New ................................................................................................................................................... 5ACOS 4.0.3 New Features................................................................................................................................. 5

OCSP Support Server Certificate Validation ............................................................................................................................. 5Enhanced Debugging Message for SSL Failures ................................................................................................................... 6Forward Proxy Failsafe ............................................................................................................................................................................ 6Forward Proxy Inspect ........................................................................................................................................................................... 6

ACOS 4.0.1-SP9 New Features........................................................................................................................ 7ADC SSLi Dynamic Port Intercept ................................................................................................................................................... 7ICAP Support ............................................................................................................................................................................................... 7Bypassing Client Authentication Traffic ...................................................................................................................................... 8MAC Address Assignment for VE Interfaces ............................................................................................................................. 8

ACOS 4.0.1-SP7 New Features........................................................................................................................ 8Hardware Support for DHE Ciphers .............................................................................................................................................. 8

ACOS 4.0.1-SP6 New Features........................................................................................................................ 8Support for 2048 NAT Pools ............................................................................................................................................................... 9Support for 2048 NAT Pool-Groups ............................................................................................................................................... 9Support for 20480 Static NAT Configurations ......................................................................................................................... 9Support for Inter-Partition Static NAT and Overlapping IP Addresses ..................................................................... 9

ACOS 4.0.1-SP1 New Features........................................................................................................................ 9Explicit HTTP Proxy ................................................................................................................................................................................10

ACOS 4.x Supported Hardware and Virtual Platforms ................................................................11Hardware Platform Support .........................................................................................................................11Virtual Appliance Support.............................................................................................................................12

Known Issues .............................................................................................................................................13ACOS 4.0.3 Known Issues...............................................................................................................................13

SSL Insight Not Supported in IPv6 Environments ..............................................................................................................13Cipher Binded to Server-SSL Template Results in No ‘Client Hello’ Request to Real Server .....................14No Trunk Option in GUI for NAT Interfaces under IP Source NAT .............................................................................14Traffic Unable To Go Through With Server Side SSL Using Session-Cache-Size Parameter .....................14Import Cert CSR-Generate Command Not Supported ...................................................................................................14Physical Link Fails to Connect Partitions ...................................................................................................................................14LDAP Authentication over SSL Not Supported ....................................................................................................................14OCSP Not Supported in the GUI ...................................................................................................................................................14SSL Insight Not Supported on vThunder .................................................................................................................................15

A10 Thunder Series and AX Series—Release Notes

Contents

A10 Networks, Inc. Proprietary and Confidential Document No.: 403-P1-REL-001 - 2/5/2016 | page 2

ACOS Device Sends Intermittent FIN Packets .......................................................................................................................15SSL Acceleration Incorrectly Shows Disabled Status in the GUI ...............................................................................15Certificate Binding Status in the CLI is Incorrect .................................................................................................................15

ACOS 4.0.1-SP9 Known Issues......................................................................................................................15DSCP-based Layer 3 Direct Server Return Performance Issue ....................................................................................15

ACOS 4.0.1-SP7 Known Issues......................................................................................................................15ACOS Reloads when Cache is Cleared ......................................................................................................................................15

ACOS 4.0.1-SP6 Known Issues......................................................................................................................16vThunder License Support ...............................................................................................................................................................16

Fixes in ACOS 4.0.x ...................................................................................................................................17Security Advisory Fixes ...............................................................................................................................................................17

Issues Fixed in Release 4.0.3-P1...................................................................................................................18Issues Fixed in Release 4.0.3 .........................................................................................................................22Issues Fixed in Release 4.0.1-SP9.................................................................................................................25

Changes to Default Behavior ...............................................................................................................29Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.0.3....................................................29

Changes to Default SSL Insight Behavior ................................................................................................................................29Default Behavior Changes Between ACOS 4.0 and 4.0.1 ...................................................................29

AAM SSL Client Certificate Authentication via LDAP .......................................................................................................30VRRP-A CLI Changes ..............................................................................................................................................................................30Overlay CLI Changes .............................................................................................................................................................................32CGNv6 DDoS IP Anomaly Checks .................................................................................................................................................32

Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases....................33Default Behavior of Layer 2 Handling on the Default VLAN ........................................................................................33Default Behaviors for Private Partitions .....................................................................................................................................33Configuring High Availability ..........................................................................................................................................................34Admin Roles ...............................................................................................................................................................................................34End-User Scripts Must Add Delay for SLB Policy Templates .........................................................................................34Disabled Interfaces Status Not Shown in the show running-config Output ....................................................36

Upgrading to ACOS 4.0.3 .......................................................................................................................37Supported Upgrade Paths ............................................................................................................................37Upgrade Image File Names...........................................................................................................................38Upgrading Legacy HA Configurations......................................................................................................38

Before Upgrading Your Configuration .......................................................................................................................................38HA to VRRP-A Migration Exceptions ...........................................................................................................................................38HA to VRRP-A CLI Comparison .......................................................................................................................................................39Running the HA to VRRP-A Migration Command ..............................................................................................................41Revert to HA from VRRP-A .................................................................................................................................................................42



Contents

Upgrading to ACOS 4.0.3 ...............................................................................................................................42Understanding the Upgrade of L3V Partitions ......................................................................................44Upgrading the Software Image Using aVCS...........................................................................................45

Use the GUI to Upgrade an aVCS Chassis ................................................................................................................................45Backing Up the System ..............................................................................................................................................................45Full Chassis Upgrade (with or without VRRP-A) ..........................................................................................................46Staggered Upgrade (with VRRP-A) .....................................................................................................................................46Staggered Upgrade (no VRRP-A) .........................................................................................................................................47

Use the CLI to Upgrade an aVCS Chassis .................................................................................................................................47Backing Up the System ..............................................................................................................................................................47Full Chassis Upgrade (with or without VRRP-A) ..........................................................................................................48Staggered Upgrade (with VRRP-A) .....................................................................................................................................48Staggered Upgrade (no VRRP-A) .........................................................................................................................................50


Contents


| Document No.: 403-P1-REL-001 - 2/5/2016

What’s New

This chapter describes the new features added in various ACOS 4.x releases.

For additional information and documentation, refer to the main documentation library, available on the Support Portal.

• ACOS 4.0.3 New Features

• ACOS 4.0.1-SP9 New Features




ACOS 4.0.3 New FeaturesThe following new features are introduced in ACOS 4.0.3:

• OCSP Support Server Certificate Validation

• Enhanced Debugging Message for SSL Failures

• Forward Proxy Failsafe

• Forward Proxy Inspect

OCSP Support Server Certificate ValidationThe Online Certificate Status Protocol (OCSP) is an IETF protocol that SSL clients, such as ACOS SSL, can use to verify the state of a server’s certificate before enabling an SSL session with that server. This release provides support for OCSP and OCSP Sta-pling.

For more information, see “Server Certificate Validation for SSLi” in the SSL Configuration Guide.


ACOS 4.0.3 New Features

Document No.: 403-P1-REL-001 - 2/5/2016 | page 6

Enhanced Debugging Message for SSL FailuresThe CLI command enable-tls-alert-logging fatal enables logging of TLS alerts that include the flow information such as source IP address. This command is available at the SLB template configuration level for the following template types:

• Client SSL

• Server SSL

For more information, refer to the Command Line Interface Reference.

Forward Proxy FailsafeFailsafe enables SSLi traffic interception to be bypassed when there is a handshake failure. This feature is enabled by default.

For more information, refer to the forward-proxy-failsafe-disable command, under the “slb template client-ssl” command in the Command Line Interface Reference.

Forward Proxy InspectThis feature allows you to inspect an Aho-Corasick class list and only perform SSLi on traffic matching entries in the class-list.

When an overlap occurs between forward-proxy-inspect and forward-proxy-bypass, these rules apply:

• forward-proxy-inspect takes precedence over forward-proxy-bypass for web-category option.

• When there is a keyword match between forward-proxy-inspect and forward-proxy-bypass for class-list option, the match with the greater key word length takes precedence.

Example:

forward-proxy-inspect rule checks “.com”

forward-proxy-bypass rule checks “example.com”

The following URL is checked - “sample.example.com”

The URL would be bypassed, as it matches the 11 key word length for forward-proxy-bypass which is greater than the 4 key word length match for forward-proxy-inspect.

• forward-proxy-bypass configuration takes precedence over forward-proxy-inspect.

For more information, refer to the forward-proxy-inspect command, under the “slb template client-ssl” command in the Command Line Interface Reference.

| Document No.: 403-P1-REL-001 - 2/5/2016


ACOS 4.0.1-SP9 New Features

ACOS 4.0.1-SP9 New FeaturesThe following new features are introduced in ACOS 4.0.1-SP9:

• ADC SSLi Dynamic Port Intercept

• ICAP Support

• Bypassing Client Authentication Traffic

• MAC Address Assignment for VE Interfaces

NOTE: These features cannot be configured using the GUI.

ADC SSLi Dynamic Port InterceptDynamic-Port SSL Insight (SSLi) allows the ACOS device to dynamically detect and intercept the use of SSL on any TCP ses-sion, regardless of the protocol running on top of TCP.

For more information, see SSL Insight Dynamic Port in the SSL Configuration Guide.

ICAP SupportACOS supports Internet Content Adaptation Protocol (ICAP) services on HTTP and HTTPS sessions. In other words, ACOS sup-ports the configuration of ACOS devices to conform to the ICAP client recommendations in RFC 3507.

For more information, see SSL ICAP Support in the SSL Configuration Guide.

To support this feature, the following new CLI commands are added.

Global configuration commands:

• slb template reqmod-icap

• slb template respmod-icap

Virtual port configuration commands:

• template reqmod-icap

• template respmod-icap

Show commands:

• show slb icap

For more information, refer to the Command Line Interface Reference.




Bypassing Client Authentication TrafficIn previous releases, the inside SSLi ACOS device intercepted all of the traffic that traveled through port 443. The ACOS device also bypassed SSL traffic based on the server name (SNI) in the client-hello message, while maintaining HTTPS proxy processing on the client side. Bypassing client authentication traffic enables you to configure a list of server names that can be bypassed from HTTPS proxy processing on the client side as well, by using CLI or a class-list.

For more information, see “Bypassing Client Authentication Traffic” in the SSL Configuration Guide.

MAC Address Assignment for VE InterfacesIn an L3V partition, the system ve-mac-scheme system-mac command allocates a system MAC for the partition and assigns the system MAC address of the partition to all VLANs and VEs in the partition.

For more information, see the “system ve-mac-scheme” command in the Command Line Interface Reference.

ACOS 4.0.1-SP7 New FeaturesThe following feature is introduced in ACOS 4.0.1-SP7:

• Hardware Support for DHE Ciphers

Hardware Support for DHE CiphersIn 4.0.1-SP7, hardware support for DHE ciphers is added for enhanced performance and processing. Previously, this was restricted to software only.

ACOS 4.0.1-SP6 New FeaturesThe following new features are introduced in ACOS 4.0.1-SP6:

• Support for 2048 NAT Pools

• Support for 2048 NAT Pool-Groups

• Support for 20480 Static NAT Configurations

• Support for Inter-Partition Static NAT and Overlapping IP Addresses

| Document No.: 403-P1-REL-001 - 2/5/2016



Support for 2048 NAT PoolsThis release provides support for the creation of 2048 NAT pools.

Support for 2048 NAT Pool-GroupsThis release provides support for the creation of 2048 NAT pool-groups.

Support for 20480 Static NAT ConfigurationsThis release provides support for 20480 static NAT configurations.

Support for Inter-Partition Static NAT and Overlapping IP AddressesThis release provides support for inter-partition routing with static NAT, similar to inter-partition routing for fixed NAT (see “L3V Inter-partition Routing for Fixed-NAT” in the IPv4-to-IPv6 Transition Solutions Guide in the 4.0.1 documentation library).

To accomplish this, configure a static route in the private partitions pointing to the shared partition. This enables static NAT traffic to be routed from private partitions to the shared partition.

The cgnv6 nat range-list and cgnv6 nat inside source CLI commands are enhanced to configure this feature:

cgnv6 nat range-list list_name inside_start_address inside_netmask partition inside_partition_name nat_start_address nat_netmask count num

cgnv6 nat inside source static source_address partition inside_partition_name nat_ip_address [vrid vrid_num]

The partition inside_partition_name parameter is introduced to these existing commands.

This feature also adds support for overlapping addresses in the private partitions. For example – 10.10.10.1 from private parti-tion P1 can be mapped to a NAT address 20.20.20.1 and 10.10.10.1 from private partition P2 can be mapped to a NAT address 20.20.20.2.

ACOS 4.0.1-SP1 New FeaturesThe following feature is introduced in ACOS 4.0.1-SP1:

• Explicit HTTP Proxy




Explicit HTTP Proxy

You can use the ACOS device as an explicit HTTP proxy to control client access to hosts based on lists of allowed traffic sources (clients) and destinations (Web servers). Client applications, which are typically Web browsers, must explicitly configure the proxy's IP address and port such that all HTTP requests will be sent to the explicit proxy.

For more information, see “Explicit HTTP Proxy” in the Application Delivery and Server Load Balancing Guide.


ACOS 4.x Supported Hardware and Virtual Platforms

This chapter describes the supported hardware platforms and virtual appliances for the ACOS 4.x releases.

The following topics are covered:

• Hardware Platform Support

• Virtual Appliance Support

Hardware Platform SupportTable 1 lists the supported hardware devices and their respective minimum releases; for example:

• A device with “4.0.1” in the Minimum Release column would not support release 4.0.

• A device with “4.0” in the Minimum Release column would be supported on 4.0 and all later releases, unless other-wise noted.

Unless otherwise specified, all platforms are FTA enabled.

TABLE 1 ACOS 4.x Supported Hardware Platforms

A10 Thunder Series Devices Minimum Release AX Series Devices Minimum ReleaseThunder 6635(S) 4.0.1 AX 5630 4.0Thunder 6630(S) 4.0 AX 5200-11 4.0Thunder 6435(S) 4.0 AX 3530 (non-FTA) 4.0Thunder 6430(S) 4.0 AX 3400 4.0Thunder 5630(S) 4.0 AX 3200-12 4.0Thunder 5435(S) 4.0Thunder 5430(S)-11 4.0Thunder 5430S 4.0Thunder 5330(S) 4.0.1Thunder 4430(S) 4.0Thunder 3430(S) 4.0.1Thunder 3230(S) 4.0.1Thunder 3030S (non-FTA) 4.0Thunder 1030S (non-FTA) 4.0Thunder 930 (non-FTA) 4.0


Virtual Appliance Support


Virtual Appliance SupportTable 2 lists the supported virtual appliances and their respective minimum releases, for example:

• A device with “4.0.1” in the Minimum Release column would not support release 4.0.

• A device with “4.0” in the Minimum Release column would be supported on 4.0 and all later releases, unless other-wise noted.

TABLE 2 ACOS 4.x Supported Virtual Appliances

vThunder Virtual Appliances Minimum ReleasevThunder for AWS 4.0.1vThunder for Azure 4.0 SP2vThunder for VMware ESXi 4.0vThunder for KVM (with SR-IOV) 4.0vThunder for KVM 4.0vThunder for Hyper-V 4.0

| Document No.: 403-P1-REL-001 - 2/5/2016

Known Issues

This chapter describes known issues in ACOS releases 4.0.3, 4.0.1-SP6, 4.0.1-SP7, and 4.0.1-SP9.

For additional information and documentation about ACOS release 4.0.1, refer to the ACOS 4.0.1 product documentation.

• ACOS 4.0.3 Known Issues

• ACOS 4.0.1-SP9 Known Issues



ACOS 4.0.3 Known IssuesThe following topics are covered:

• SSL Insight Not Supported in IPv6 Environments

• Cipher Binded to Server-SSL Template Results in No ‘Client Hello’ Request to Real Server

• No Trunk Option in GUI for NAT Interfaces under IP Source NAT

• Traffic Unable To Go Through With Server Side SSL Using Session-Cache-Size Parameter

• Import Cert CSR-Generate Command Not Supported

• Physical Link Fails to Connect Partitions

• LDAP Authentication over SSL Not Supported

• OCSP Not Supported in the GUI

• SSL Insight Not Supported on vThunder

• ACOS Device Sends Intermittent FIN Packets

• SSL Acceleration Incorrectly Shows Disabled Status in the GUI

• Certificate Binding Status in the CLI is Incorrect

SSL Insight Not Supported in IPv6 EnvironmentsCurrently, SSL Insight allows IPv6 traffic to pass through, but is otherwise not supported. IPv4 traffic functions properly with SSL Insight (A10 Issue 288871, 288826, 288355).


ACOS 4.0.3 Known Issues


Cipher Binded to Server-SSL Template Results in No ‘Client Hello’ Request to Real Server

When a cipher template with cipher TLS1_RSA_AES_128_GCM_SHA256 is binded to a server-ssl template, the ACOS device does not sent a client hello to the real server (A10 Issue 292294).

No Trunk Option in GUI for NAT Interfaces under IP Source NATNo trunk interface option is available in the drop-down menu from the following path ADC>IP Source NAT> NAT interfaces in the GUI (A10 Issue 291854).

Traffic Unable To Go Through With Server Side SSL Using Session-Cache-Size Parameter

Frequently, a FIN request will be sent to the client without a server response when the session-cache-size parameter is used in a server SSL template (A10 Issue 290911).

Note: This configuration is normally not required in an SSL Insight environment and is more commonly applied for reverse-proxy SSL decryption and encryption.

Import Cert CSR-Generate Command Not SupportedThe csr-generate option for import cert is not supported (A10 Issue 290060).

Physical Link Fails to Connect PartitionsA physical link fails to connect two partitions (A10 Issue 289195).

Recommended configuration is to only use virtual ethernet interfaces for connectivity.

LDAP Authentication over SSL Not SupportedLDAP Authentication over SSL is not supported. (A10 Issue 288724).

OCSP Not Supported in the GUIOCSP-related configuration and troubleshooting cannot be performed using the GUI; this is only supported in the CLI.

| Document No.: 403-P1-REL-001 - 2/5/2016


ACOS 4.0.1-SP9 Known Issues

SSL Insight Not Supported on vThunderSSL Insight configuration is not supported on vThunder devices (A10 Issue 287486).

ACOS Device Sends Intermittent FIN PacketsThe ACOS device will send intermittent FIN packets to the client on port 8080 and to the server on port 443 before receiving all the data from the server when sent a packet size greater than that set by RFC 4254 (A10 Issue 286828).

SSL Acceleration Incorrectly Shows Disabled Status in the GUIOn the Dashboard >> ADC page in the GUI, SSL Acceleration is incorrectly shown as disabled (red circle “X” icon) even though SSL Acceleration is running on the virtual server.

Certificate Binding Status in the CLI is IncorrectCertificates bound to the client-ssl template incorrectly appear as unbound when using the CLI command to display certifi-cate information (CLI command: show pki cert).

ACOS 4.0.1-SP9 Known IssuesThe following topic is covered:

• DSCP-based Layer 3 Direct Server Return Performance Issue

DSCP-based Layer 3 Direct Server Return Performance IssueRunning DSCP-based L3 Direct Server Return (DSR) on 64-bit ACOS demonstrated possible performance issues.


• ACOS Reloads when Cache is Cleared

ACOS Reloads when Cache is ClearedWhen your ACOS device is running heavy traffic and the SSL session cache becomes very large, an attempt to clear the cache may cause the device to reload (A10 Issue 259894).


ACOS 4.0.1-SP6 Known Issues



• vThunder License Support

vThunder License SupportThe following known issues exist for vThunder licensing:

• License manager is only supported in the CLI.

• “Pay as you go” is only supported in the CLI.

• Import periodic is only supported for “Pay as you go” licenses.

| Document No.: 403-P1-REL-001 - 2/5/2016

Fixes in ACOS 4.0.x

These release notes describe the fixes in this ACOS Release and its patch releases.

For each issue, the following information is provided:

• System area – Part of the system that had the issue (IP NAT, SLB, aFleX, and so on).

• Description – Description of the issue.

• Trigger – System condition that caused the issue, or steps taken by A10 Networks to recreate the issue for diagnosis.

• Version – Software version(s) in which the issue is present. Later versions (including the version documented by this release note) are not affected by the issue.

• Reproducibility – Indicates how consistently the issue could be reproduced: 100%, High, Medium, or Low.

• Severity – Indicates the impact the issue had or could potentially have:

• P1 – Major issue that caused or could cause a major service outage or a reload of the ACOS device.

• P2 – Minor issue that caused or could cause a minor service outage.

• P3 – Minor issue.

• P4 – Cosmetic issue.

• Reported by customer – Indicates whether the issue was reported by a customer (Yes) or was discovered internally (No).

• Workaround – Indicates how to compensate for the issue, if applicable. Not all issues have a workaround.

Security Advisory Fixes

ACOS Release 4.0.3 resolves the following Security Advisories:

• CVE-2015-5366 - Linux kernel before 4.0.6 allows remote attackers to cause a denial of service (A10 Tracking ID 279412)

A10 Thunder Series and AX Series—ACOS Release Notes

Issues Fixed in Release 4.0.3-P1


Issues Fixed in Release 4.0.3-P1ACOS Release 4.0.3-P1 contains fixes listed in Table 3. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).

TABLE 3 Fixes in ACOS Release 4.0.3-P1

A10 Tracking ID Issue296920 System area: SLB DSR

Description: For short-lived TCP DSR flows, the “current connection” counter under the service-group and real server did not match with the counters displayed under the virtual port. This discrepancy has been addressed.

Trigger: Described above.

Version: 4.0.3 and earlier.

Reproducibility: Low

Severity: P2

Reported by customer: Yes296479 System area: System

Description: Use of extended-stats parameter in virtual-server template configuration caused reduced ACOS performance.



Reproducibility: 100%

Severity: P2

Reported by customer: Yes

Workaround: Avoid enabling extended stats parameter for virtual-server template.295237 System area: System management

Description: SCP did not work with SSH key authentication.




Severity: P2


| Document No.: 403-P1-REL-001 - 2/5/2016



293449 System area: System

Description: The destination MAC of the mirrored traffic captured by the “mirror-da-reply” command showed the MAC of the original packet instead of the MAC of the mirrored server.




Severity: P2

Reported by customer: Yes 292969 System area: System

Description: In a CLI session, when tftp on a data interface was used, performance would degrade and eventually require a hard reboot.

Trigger: Use of tftp on data interface using CLI.



Severity: P1


Workaround: Use tftp with management port.292270 System area: SSL

Description: Heavy elliptic curve diffie-hellman key exchange traffic caused SSL module memory manage-ment issues.



Reproducibility: Medium

Severity: P1

Reported by customer: Yes283799 System area: VRRP-A

Description: L2/L3 packets were forwarded from the standby device when the incoming packet matched the session synced to the standby from the active device. This was done using the “ha forward-l4-packet-on-standby” command.




Severity: P3

Reported by customer: No


A10 Tracking ID Issue




281866 System area: SLB-L4

Description: L4 performance was degraded when the idle timeout of the default TCP or UDP template was changed.




Severity: P2

Reported by customer: Yes281416 System area: VRRP-A

Description: When an active ACOS device had more than two million connections and the service group had more than a hundred members, the CPU usage of the standby ACOS device would go high.




Severity: P2

Reported by customer: Yes280637 System area: System platform

Description: The aXAPI was missing relative log information if the time was modified using the GUI.




Severity: P2




| Document No.: 403-P1-REL-001 - 2/5/2016



271219 System area: DSR health-check

Description: While performing DSR (tcp port level) health-check operation for IPv6-based real servers, the ACOS device would occasionally restart.




Severity: P2


Workaround: Avoid configuring tcp port level health-check for IPv6-based real servers when configured in DSR mode.

257890 System area: Health Monitor

Description: When the sub-monitor of a compound health monitor was modified, the CPU would reach a high control state.




Severity: P1


Workaround: Unbind the compound health monitor first, before modifying the sub-monitor.




Issues Fixed in Release 4.0.3


Issues Fixed in Release 4.0.3ACOS Release 4.0.3 contains fixes listed in Table 5. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).

TABLE 4 Fixes in ACOS Release 4.0.3

A10 Tracking ID Issue290071 System area: SSL

Description: Running codenomicon HTTP server suite 3.3.0 caused a stoppage of the ACOS device.


Version: 4.0.1-SP9


Severity: P1

Reported by customer: No290026 System area: SSL

Description: When a virtual ethernet interface was disabled, server load balanced traffic continued nor-mally as if the virtual ethernet interface was still enabled


Version: 4.0.1-SP9


Severity: P2

Reported by customer: No289495 System area: SSL

Description: SSLi traffic over an extended period of time of 12 hours resulted in reduction of resources available on ACOS device.


Version: 4.0.1-SP9


Severity: P1


| Document No.: 403-P1-REL-001 - 2/5/2016



289474 System area: SSL

Description: In an SSLi setup, when receiving SSLi traffic at 5,000 connections per second (CPS), the ACOS device would fail.


Version: 4.0.1-SP9


Severity: P1

Reported by customer: No 287353 System area: SSL

Description: ACOS device initially had difficulty reaching 400K SSL consistent concurrent sessions.


Version: 4.0.1-SP9


Severity: P1


Description: Configuring an external Loopback interface on Ethernet port 1 may cause OCSP transactions to be incomplete. This issue is seen in single-box SSL Insight configurations where one partition is config-ured as the inside ACOS device and a second is configured as the outside ACOS device.


Version: 4.0.1-SP9


Severity: P1

Reported by customer: Yes 286870 System area: SSL

Description: The ACOS device would fail after storing over 100 certificates in its SSL certification cache.


Version: 4.0.1-SP9


Severity: P1







286849 System area: TCP

Description: In a tcp-proxy template, a high wscale value could affect ACOS device performance.


Version: 4.0.1-SP9


Severity: P2

Reported by customer: No 285238 System area: SSLi

Description: Certificate Authority (CA) verification failed when initiating SSL connection for Skype.

Trigger: Initiating SSL connection for Skype.

Version: 4.0.1 SP9 and earlier

Reproducibility: High

Severity: P2

Reported by customer: No284251 System area: SSLi

Description: A race condition exists when sorting the cipher list on SSL such that a configured or default cipher list may become corrupted and cause an unmatched error.

Trigger: Large traffic load, which may force two threads to sort a cipher list at the same time, causing an undefined result.



Severity: P2

Reported by customer: Yes279412 System area: SSLi

Description: This patch addresses the following Security Advisories:

• CVE-2015-5366 - Linux kernel before 4.0.6 allows remote attackers to cause a denial of service.

Trigger: N/A


Reproducibility: High

Severity: N/A




| Document No.: 403-P1-REL-001 - 2/5/2016


Issues Fixed in Release 4.0.1-SP9

Issues Fixed in Release 4.0.1-SP9ACOS Release 4.0.1-SP9 contains fixes for issues in ACOS 4.0.1 P1, 4.0.1 P2, 4.0.1 P3, 4.0.1 P4, 4.0.1 P5, and 2.7.2 P4. The fixes are listed in Table 5. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).

TABLE 5 Fixes in ACOS Release 4.0.1-SP9

A10 Tracking ID Issue157399 System area: SLB

Description: With graceful-shutdown and persist cookie configured in an L3V partition, subsequent requests went to the new server instead of the same disabled server in the service-group.


Version: 4.0.1-SP7 and earlier


Severity: P2

Reported by customer: Yes 165616 /

225155

System area: SLB

Description: When issuing a traceroute operation using the ICMP method (IP SLB or IP NAT config) on cer-tain FTA platforms, the intermediate host situated between the ACOS device and the destination server was not being reflected.




Severity: P2

Reported by customer: Yes 168232 System area: SLB/aFleX

Description: The aFleX method (HTTP::method) logic failed to recognize “TRACK”.




Severity: P2





263872 System area: SSLi

Description: When forging certificates, instead of using the SHA2 algorithm, the SHA1 algorithm was used. This fix signs the certificate using original certificates' signing algorithm such as SHA2.

Trigger: Since SHA1 certificates will not be supported in the future, SHA 2 signed certificates is used instead.



Severity: P1


Description: A user cannot import a PFX certificate if the password has special characters

Trigger: Attempting to import a PFX certificate if the password has special characters.



Severity: P1


Workaround: Re-encrypt the certificate with a password that does not use special characters before importing to an ACOS device.


Description: Patch June 2015 OpenSSL vulnerabilities.

Trigger: N/A


Reproducibility: N/A

Severity: N/A




| Document No.: 403-P1-REL-001 - 2/5/2016




Description: Accessing https://a10networks.webex.com caused failures when the SSL driver that handled block cipher messages exceeded the buffer.

Trigger: Some small packets at the end of SSL record and make the MAC field passes multiple buffers more than 2. The decryption will get MAC wrong and drop the packet.



Severity: P1

Reported by customer: Yes264292 System area: SSL

Description: During the SSL handshake the ACOS device would acknowledge the server response and then would freeze.

Trigger: This issue was seen when the SSL server would send the Server Hello, Cert, Server Key Exchange, Server Hello Done message in a single SSL record when using ECDHE ciphers.



Severity: P2





Changes to Default Behavior

This chapter highlights the major changes to default or existing behavior in release 4.x as compared to earlier releases.

• Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.0.3

• Default Behavior Changes Between ACOS 4.0 and 4.0.1

• Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases

Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.0.3

This section describes changes in behavior between ACOS 4.0.1 and 4.0.3.


• Changes to Default SSL Insight Behavior

Changes to Default SSL Insight BehaviorIn earlier releases, the ACOS device queued all connections to forge a certificate that was not already in the certificate cache. The ACOS device would then insert one copy of the forged certificate into the cache and the queued connections would continue to proceed.

In ACOS 4.0.3, this behavior is changed so instead of queuing all connections to the same server to forge a certificate, only one connection is established to forge a certificate while the rest are bypassed. After the certificate forging is complete, all new connections are intercepted.

Default Behavior Changes Between ACOS 4.0 and 4.0.1This section describes changes in behavior between ACOS release 4.0 and 4.0.1.


• AAM SSL Client Certificate Authentication via LDAP


Default Behavior Changes Between ACOS 4.0 and 4.0.1


• VRRP-A CLI Changes

• Overlay CLI Changes

• CGNv6 DDoS IP Anomaly Checks

AAM SSL Client Certificate Authentication via LDAPIn release 4.0, the ACOS device extracts the content in subject-alt-name-othername from the client certificate to use for LDAP authentication.

In release 4.0.1, the default is changed so that the ACOS device uses the virtual port’s client SSL template configuration.

ACOS-Active(config)#slb template client-ssl client-ssl

ACOS-Active(config-client ssl)#auth-username ?

common-name Certificate subject common came

subject-alt-name-email Subject Alternative Name - extension email

subject-alt-name-othername Subject Alternative Name - other name

The default content extracted is common-name, but this may be configured to suit your specific needs for LDAP authentica-tion. For more information about these options, refer to the slb template client-ssl command in the Command Line Interface Reference.

VRRP-A CLI ChangesThis section describes the following VRRP-A CLI changes in release 4.0.1:

• Disable VRRP-A

• Force-Self-Standby

• Persistent Force-Self-Standby

• VRID Fail-Over Policy Template

• VRID Priority

• VRID Tracking Options

Disable VRRP-A

ACOS 4.0 configuration

no enable




ACOS 4.0.1 configuration:

disable

Force-Self-Standby


vrrp-a common

vrrp-a force-self-standby


vrrp-a force-self-standby vrid 3

Persistent Force-Self-Standby


vrrp-a common

vrrp-a force-self-standby vrid 3 persistent


vrrp-a force-self-standby-persistent vrid 3

VRID Fail-Over Policy Template


vrrp-a vrid 0

fail-over-policy-template template1


vrrp-a vrid 0

blade-parameters

fail-over-policy-template template1

VRID Priority





vrrp-a vrid 0

priority 200


vrrp-a vrid 0

blade-parameters

priority 200

VRID Tracking Options


vrrp-a vrid 0

tracking-options

...


vrrp-a vrid 0

blade-parameters

tracking-options

...

Overlay CLI Changes

Show Overlay Configuration

ACOS 4.0 command:

show overlay-tunnel

ACOS 4.0.1 command:

show running-config overlay-tunnel

CGNv6 DDoS IP Anomaly ChecksThe following CGNv6 DDoS IP Anomaly checks have been removed from FPGA platforms in ACOS 4.0.1:

• Bad IP Flags

• UDP Port Loopback

• UDP Kerberos Frag

• IPv4 Options



Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases

These checks remain applicable on non-FPGA platforms. The full list, including these checks, can be found in the IPv6 Transi-tions Solution Guide.


This section contains the following:

• Default Behavior of Layer 2 Handling on the Default VLAN

• Default Behaviors for Private Partitions

• Configuring High Availability

• Admin Roles

• End-User Scripts Must Add Delay for SLB Policy Templates

• Disabled Interfaces Status Not Shown in the show running-config Output

Default Behavior of Layer 2 Handling on the Default VLAN For a system configured in gateway mode or a system without any IP address, Layer 2 MAC learning and Layer 2 forwarding are disabled on the default VLAN (VLAN=1). In transparent mode, Layer 2 MAC learning and Layer 2 forwarding are enabled on the default VLAN.

Layer 2 MAC Learning and Layer 2 forwarding on the default VLAN may be enabled by using the vlan-global enable-def-vlan-l2-forwarding command under global configuration mode.

NOTE: It is recommended that Static MACs should not be configured in the default VLAN ingateway or no-IP address mode, since Layer 2 MAC learning and Layer 2 forwarding isdisabled by default in these modes. If you need to use static MACs in the default VLAN,please also enable forwarding on the default VLAN using the vlan-global enable-def-vlan-l2-forwarding command under config mode.

Default Behaviors for Private PartitionsOnly L3V partitions are supported in the 4.x releases; RBA partitions are no longer supported. In addition, other aspects of partition creation, configuration, and deletion are changed in this release. For more information, see the “Application Deliv-ery Partition New Features” section in the Configuration Application Delivery Partitions guide:




New Role-Based Access (RBA) functionality is provided in this release to support the creation of multiple users, groups, and roles with varying degrees of permissions. For more information about RBA, see the “Role-Based Access Control” section in the Management Access and Security Guide:

The number of L3V partitions that can be configured per device has changed from previous releases. For more information, see the “Number of Partitions Supported per ACOS Device” section in the Configuration Application Delivery Partitions guide:

Configuring High AvailabilityOnly VRRP-A high availability is supported in ACOS 4.x releases; the legacy High Availability (HA) configuration is no longer supported. For more information, see the Configuring VRRP-A High Availability guide:

Admin RolesThe ACOS 4.x releases support only 5 admin roles, compared to 12 from previous releases. Table 6 summarizes this informa-tion:

End-User Scripts Must Add Delay for SLB Policy TemplatesFor end-user scripts that perform simultaneous update, deletion, or re-creation of the following:

• SLB policy templates

TABLE 6 Admin Role Comparison

Admin Role Supported in Legacy Releases? Supported in 4.x Releases?ReadOnlyAdmin Yes YesReadWriteAdmin Yes YesSystemAdmin Yes NoNetworkAdmin Yes NoNetworkOperator Yes NoSlbServiceAdmin Yes NoSlbServiceOperator Yes NoPartitionReadWrite Yes YesPartitionNetworkOperator Yes NoPartitionSlbServiceAdmin Yes NoPartitionSlbServiceOperator Yes YesPartitionReadOnly Yes Yes




• Binding of an SLB policy template to a virtual port

• Binding of SLB policy template to system

• Binding of SLB policy template to virtual server

• Modifying fields of an already bound policy template.

The script must be modified to include a delay of a few seconds between actions.

In previous releases, ACOS automatically re-tried the action after two seconds; this is no longer the case in 4.0.




Disabled Interfaces Status Not Shown in the show running-config Output

In ACOS 4.x releases, the output of the show running-config command does not show “disable” for disabled interfaces.

In the legacy 2.x releases, the following section of show running-config output would indicate that interface ethernet 5 is enabled and ethernet 6 is disabled:

interface ethernet 5

trunk-group 1

!


disable

trunk-group 1

!

In the ACOS 4.x CLI, the same configuration would be shown as follows:


enable

trunk-group 1

!


trunk-group 1

!

The “non-default” state of enabled is explicitly shown, while the “default” state of disabled is not shown.


Upgrading to ACOS 4.0.3

This chapter provides information for upgrading your existing ACOS software to release 4.0.3

NOTE: If you are configuring a new ACOS device, refer to the installation guide for your specificdevice.


• Supported Upgrade Paths

• Upgrade Image File Names

• Upgrading Legacy HA Configurations

• Upgrading to ACOS 4.0.3

• Understanding the Upgrade of L3V Partitions

• Upgrading the Software Image Using aVCS

Supported Upgrade PathsThe following upgrade paths to ACOS 4.0.3 are supported:

• Release 2.7.2 or any Release 2.7.2-Px to Release 4.0.3

• Release 2.8.2 or any Release 2.8.2-Px to Release 4.0.3

NOTE: To perform an upgrade to ACOS Release 4.0.3 using the GUI, you must start with Release2.7.2-P3. Earlier releases are not supported.

These releases support the encryption and decryption of the .upg image file formats used for upgrading a device (“Upgrade Image File Names” on page 38).


Upgrade Image File Names


Upgrade Image File NamesMake sure to use the correct image file for your specific ACOS device.

First, determine whether or not your device is FTA enabled. See “Hardware Platform Support” on page 11.

Then, make sure to use the correct ACOS image file:

• For FTA enabled platforms, use the image with the file name:

ACOS_FTA_version.upg

• For non-FTA enabled platforms (including vThunder), use the image with the file name:

ACOS_non_FTA_version.upg

Upgrading Legacy HA ConfigurationsACOS 4.x releases no longer support the legacy HA configuration (see “Configuring High Availability” on page 34). If you are upgrading to release 4.0.3 and your configuration contains existing legacy HA content, you must migrate your legacy HA configuration to VRRP-A using the vrrp-a ha-migration command before migrating to release 4.0.3.

Before Upgrading Your ConfigurationBefore migrating your HA configuration to VRRP-A, do the following:

• Back up your current configuration. Although the vrrp-a ha-migration command creates its own backup of the existing configuration, it is recommended that you create your own copy of the existing configuration in case you need to revert to your original configuration.

• Before running the vrrp-a ha-migration command, review your existing HA configuration file to address any exceptions that will cause the command to fail. Address these exceptions by manually upgrading your HA configura-tion or by deleting these configuration statements from your configuration file before migrating your configuration. For a list of conversion exceptions, see “HA to VRRP-A Migration Exceptions” on page 38.

Once the conversion process from HA to VRRP-A is complete, if you wish to revert to your HA configuration, use the vrrp-a ha-migration-restore command. For more information, see “Revert to HA from VRRP-A” on page 42.

HA to VRRP-A Migration ExceptionsDuring the migration process, some conditions will cause the migration command to fail. An HA configuration that does not contain any of the following HA configuration exceptions will result in a successful conversion to VRRP-A. Issue the migration command only after you have removed or manually upgraded the following HA configuration statements.



Upgrading Legacy HA Configurations

NOTE: When you execute the command, it will check your HA configuration to ensure that noHA configuration exceptions exist. If exceptiosn are encountered, the command willquit without performing any conversion to VRRP-A.

Assuming no Virtual Chassis (VCS) has been configured, the following exceptions will cause the HA migration command to fail:

• RBA partitions are encountered.

• Forward-L4-Packet-on-Standby is detected.

• L2 Inline Mode is detected. This includes support for HA Inline Mode (preferred port), HA restart-time, and HA restart-port-list.

• L3 Inline Mode is detected. This includes support for HA L3 Inline Mode and HA OSPF Inline mode.

• HA Parameters for Real Servers are detected. This includes support for HA priority cost.

• HA Parameters for Real Ports are detected.

• Firewall Load Balancing (FWLB) is detected.

HA to VRRP-A CLI ComparisonTable 7 shows the legacy HA commands and their VRRP-A equivalents.

NOTE: Many of the VRRP-A commands are further changed in the ACOS 4.x releases and are nolonger the same as their legacy 2.7.x or 2.8.x equivalents; this migration is performed bythe ACOS 4.x migration script.

TABLE 7 Actual HA to VRRP-A Conversion

HA VRRP-A

Global Parametersha id {1|2} [set-id num] vrrp-a set-id num

ha group id num priority num vrrp-a vrid num

priority num

floating-ip ipaddr ha-group num vrrp-a vrid num

floating-ip ipaddr

ha interface ethernet port-num[router-interface | server-interface | both][no-heartbeat | vlan vlan-id]

vrrp-a interface ethernet port-num [router-interface | server interface | both] [no-heartbeat | vlan vlan-id]

The VRRP-A tracking options are created per VRID. The migration script will place the configuration under each VRID. If an interface is under a trunk, only the trunk will be tracked.




ha check vlan vlan-id timeout seconds track options

vlan vlan-id timeout seconds priority-cost default

ha check gateway ipaddr gateway ipaddr priority-cost default

ha conn-mirror ip ipaddr IP address is learned automaticallyha preemption enable preempt-mode disable

ha time-interval 100-ms-units vrrp-a hello-interval 100-ms-units

ha timeout-retry-count num vrrp-a dead-timer num

ha arp-retry num vrrp-a arp-retry num

ha forward-l4-packet-on-standby Not supported

Global Parameters for L2 Inline Modeha inline-mode [preferred-port] Not supportedha restart-time 100-msec-units Not supportedha restart-port-list Not supported

Global Parameters for L3 Inline Mode ha l3-inline-mode Not supportedha ospf-inline vlan vlan-id Not supportedha link-event-delay Not supported

Parameters for Virtual Servers (appear under slb virtual-server)ha-group group-id vrid group-id

ha-dynamic server-weight It will not be changed

Parameters for Virtual Serviceha-conn-mirror It will not be changed

Parameters for Real Serversha-priority-cost weight ha-group group-id Not supported

Parameters for Real Portsha-group group-id Not supported

Parameters for FWLBha-priority-cost weight ha-group group-id Not supported

Parameters for IP NATOptions with ip nat pool, ipv6 nat pool, or ip nat ip nat pool pool-name

starting-ip-nat pool-addressending-ip-nat pool-address netmask pool-mask vrid vrid-num

Parameters for IP Routesha check route prefix /mask priority-cost weight [gateway ip ipaddr | ipv6 ipv6addr] [protocol {static | dynamic}][distance num]

This appears under track options:

route prefix /mask priority-cost weight [gateway ipaddr | ipv6addr] [protocol {static | dynamic}][distance num]

TABLE 7 Actual HA to VRRP-A Conversion

HA VRRP-A




Running the HA to VRRP-A Migration CommandWhen you are ready to migrate your legacy HA configuration to VRRP-A:

1. Run the vrrp-a ha-migration CLI command. If you are migrating both devices in the HA pair, you must run this command separately on each device.

ACOS-Active(config)#vrrp-a ha-migration

ACOS boots from hard disk primary. VRRP-A migration only effects on hard disk primary.

Migrate from HA to VRRP-A therein? (y/n) y

HA Migration Starts...

89 lines of configuration are processed

Replacing old config file with new config file.

Configure file has been replaced!

HA configuration has been replaced by VRRP-A configuration! Please reload the system to

finalize the migration!

Warning: After reloading, all vrids in all partitions will be forced standby!

Please manually remove forced-standby setting with command: no vrrp-a force-self-standby

all-partitions

2. Reload your device with the reload CLI command.

ACOS#reload

System configuration has been modified. Save? [yes/no]:no

s

Do you wish to proceed with reload? [yes/no]:yes

ACOS is reloading now. Please wait....

ACOS has reloaded successfully.

3. Remove the forced-self-standby setting:

ACOS(config)#no vrrp-a force-self-standby all-partitions

4. Verify your VRRP-A configuration with the show running-config | sec vrrp-a command. For example:

ACOS#show running-config | sec vrrp-a

vrrp-a device-id 2

vrrp-a set-id 1

vrrp-a enable

vrrp-a vrid default

tracking-options

interface ethernet 3 priority-cost 15



vrrp-a vrid 1

priority 100

tracking-options







vrrp-a interface ethernet 1 router-interface

vrrp-a interface ethernet 2 server-interface no-heartbeat

vrrp-a interface ethernet 3 vlan 100

Revert to HA from VRRP-ATo restore an existing HA configuration, you can revert from VRRP-A configuration using the vrrp-a ha-migration-restore command. This command will only work if you have previously migrated your HA configuration to VRRP-A using the migration script.

Below is an example:

ACOS-Active(config)#vrrp-a ha-migration-restore

ACOS boots from hard disk primary. Migration restore only effects on hard disk primary.

Trying to find backup config file to replace current config file.

The backup files is found.

Proceed to replace current config file? (y/n) y

System has been successfully restored! Please reload system!

Upgrading to ACOS 4.0.3Use the procedure in this section to upgrade your device to ACOS 4.0.3. This procedure will migrate an existing legacy con-figuration profile to the new format, then restore your ACOS device using the migrated configuration.

CAUTION: Do not interrupt or stop the upgrade process once it has been started. If you do, anysubsequent attempts to upgrade your ACOS device will not work.

Before you begin the upgrade, be sure to save and back up your existing configuration. It is also recommended that you have console access to the device, in the event that access to the management or data interfaces is lost.

NOTE: Backing up system from one hardware platform and restoring it to a different hardwareplatform is not supported.

1. Use the write memory all-partitions command to save your current running-config to the startup-config.

ACOS-2-7-x(config)#write memory all-partitions

Building configuration...

Write configuration to primary default startup-config

[OK]




2. Use the backup system command to save your startup-config to a remote Linux system as a .tar.gz package. For example:

ACOS2-7-x(config)#backup system tftp://1.1.1.1/backups/2-7-x-system-backup

NOTE: The remote system where you send the backup package must have Python 2.7.3 orhigher installed.

3. Download the migration tool (acos_migrate.pyc) to the same remote Linux system.

4. Run the migration tool. For example:

python acos_migrate.pyc -f 2.7.x-or-2.8.x-package-name -o 4.x-package-name

• Replace 2.7.x-or-2.8.x-package-name with the name of the .tar.gz package you created as a backup in step 2.

• Replace 4.x-package-name with the name of the file you want to create as the new release 4.x restore package.

The migration tool will generate a list of profiles which can be converted. For example:

Found the following profiles available to migrate:

( 0) primary

( 1) secondary

( 2) 272-Sys-Test-09-01-14

( 3) 272_Sys-Int-09-30-14

( 4) 272_Sys-Test-10-01-14

5. Enter the number corresponding to one of the startup-config profiles listed.

You can only migrate one profile at a time; bulk or batch migration of multiple profiles is not supported. For more infor-mation, see “Understanding the Upgrade of L3V Partitions” on page 44.

Once a profile is chosen, the migration tool will migrate the selected profile to release 4.x format; this includes the startup-config in for the shared partition and all L3V partitions, and also the new directory structure for L3V partitions. All existing partitions and their respective configurations will be lost. All related aFleX, class list, black and white list, and SSL files are copied into the new directory structure.

After the profile is converted, the 4.x-package-name file (step 4) is created. This is the package you will use to restore the system configuration files on your ACOS device. The converted profile will be part of the release 4.x package file, and the suffix “_40” will be added to the name of the profile. For example, if your original profile was named “fortest” then the corresponding 4.x profile would be named “fortest_40.” The original profile is not modified in any way.

NOTE: A new profile with a “_40” suffix is not created if you choose to convert the primary(option 0) or secondary (option 1) default profile; these profiles are directly over-writtenand no new profile for release 4.0 is created.

6. Upgrade your ACOS release 2.7.2-Px or 2.8.2-Px software to release 4.x using the upgrade command and the image file name from “Upgrade Image File Names” on page 38. For example, on an FPGA device:

ACOS-2-7-x(config)#upgrade hd pri tftp://2.2.2.2/images/ACOS_FTA_version.upg


Understanding the Upgrade of L3V Partitions


Or, on a non-FPGA device:

ACOS-2-7-x(config)#upgrade hd pri tftp://2.2.2.2/images/ACOS_non_FTA_version.upg

Near the end of the upgrade procedure, you will be prompted to reboot your ACOS device. You can answer yes to reboot, or no if you want to reboot manually. You must reboot the device to bring up the ACOS 4.x software before continuing with the upgrade procedure.

7. Restore your ACOS 4.x device using the restore command. This command brings the 4.x-package-name.tar.gz file onto your ACOS 4.x device. For example:

ACOS-4-x(config)#restore tftp://1.1.1.1/backups/4.x-package-name.tar.gz

8. Use the link command to link the profile you converted in step 5 to the startup-config. Recall that the converted pro-file will have “_40” appended as the suffix. For example, assuming the original profile has the name “fortest”:

ACOS-4-x(config)#link startup-config fortest_40

9. Reload or reboot your system; either one cause the ACOS device to restart using the configuration in the new profile. For example:

ACOS-4-x(config)#reload

Reload AX ....Done.

ACOS-4-x(config)#

10. Run the following command to save the configuration in all partitions:

ACOS-4-x(config)#write memory all-partitions

Your upgrade to ACOS 4.0.3 is complete.

Understanding the Upgrade of L3V PartitionsIn release 4.x, the directory structure for L3V partitions is completely new. All L3v partitions contain independent profiles that are not tied to the shared partition. To avoid conflicts in the system, only a single profile can be migrated to the ACOS 4.x device. Consider the example below, where you have a 2.7.x device with two profiles:

• profile-1 contains the configuration for the startup-config in the shared partition and partition p1

• profile-2 contains the configuration for the startup-config in the shared partition and partition p2

Suppose the procedure in “Upgrading to ACOS 4.0.3” on page 42 is followed, backing up profile-1 and then creating a restore package based on that configuration; when the ACOS device is reloaded or rebooted, it will have an L3V partition p1 config-ured.

If you wanted to repeat the procedure with profile-2, all previous L3V partitions on the device (in this case, p1) would be lost once the device was reloaded or rebooted. After the reload or reboot, the device would contain a single partition, p2.



Upgrading the Software Image Using aVCS

Upgrading the Software Image Using aVCSSoftware images from one 4.x release to another 4.x release can be upgraded using aVCS. The following upgrade procedures are available; use the procedure that is most applicable to your deployment.

• Full chassis upgrade – This procedure upgrades the software on the vMaster. The vMaster loads the upgrade image onto each of the vBlades, then reboots the vBlades to place the new software into effect. Service is briefly interrupted during the reboot.

The procedure for full chassis upgrade applies to VRRP-A deployments and to deployments that do not use VRRP-A. See “Full Chassis Upgrade (with or without VRRP-A)” on page 48.

• Staggered upgrade in VRRP-A deployment – This procedure avoids service disruption but has more steps than full chassis upgrade. “Staggered Upgrade (with VRRP-A)” on page 48.

• Staggered upgrade with no VRRP-A – This procedure is the same as the staggered upgrade with VRRP-A, except there are no steps related to VRRP-A. “Staggered Upgrade (with VRRP-A)” on page 48.

NOTE: Allow up to five minutes for a reboot to complete. (The typical reboot time is 2-3 min-utes.) During a reboot, the system performs a full reset and will be offline. The actualtime may vary depending on system parameters.

Use the GUI to Upgrade an aVCS ChassisThis section describes how to upgrade an aVCS chassis using the GUI.

Backing Up the System

Before you begin the upgrade, it is recommended to back up the system. A full system backup includes the startup-config file, aFleX files, and SSL certificates and keys.

1. Navigate to System >> Backup.

2. Click Backup, then select System from the drop-down menu.

3. Select the backup host and location, and the protocol used to access the host.

4. Click Backup.




Full Chassis Upgrade (with or without VRRP-A)

NOTE: This procedure requires a reboot of each ACOS device in the virtual chassis. In this case,the vMaster sends the new image to all vBlades and reboots all devices in the virtualchassis, including itself. This can take several minutes, during which a service outage willoccur.

Perform the following steps on the vMaster.

1. Navigate to System >> Maintenance >> Upgrade.

2. Make sure Disable is selected in the Staggered Upgrade Mode field, and complete the other fields on this screen as needed to specify the location of the upgrade file. Refer to the online help for detailed information about all the fields on the screen.

3. Click Upgrade.

4. After the upgrade file is successfully loaded, reboot your device.

Staggered Upgrade (with VRRP-A)

Perform the following steps:

1. Navigate to System >> Maintenance >> Upgrade.

2. Make sure Enable is selected in the Staggered Upgrade Mode field.

3. Specify the ID of the device you want to upgrade.

4. Complete the other fields on this screen as needed to specify the location of the upgrade file. Refer to the online help for detailed information about all the fields on the screen.

NOTE: All devices in the virtual chassis use the same image area (primary or secondary). Forexample, if the software running on the vMaster is in the primary image area, all thevBlades also are running their software from their own primary image areas.

5. Click Upgrade.

6. After the upgrade file is successfully loaded, reboot your device.

7. After the device reboots, set the priority value of each VRID on the device to a lower value than on the backup ACOS device:

NOTE: Do not use the Force Self Standby option.

a. Navigate to System >> VRRP-A.

b. Click Settings, then select Vrid from the drop-down list.

c. Click Edit in the Actions column for a VRID.

d. Verify that Enable is selected in the Preempt Mode field.




e. Open the Blade Parameters section, then edit the value in the Priority field to a value that is lower than the priority value(s) for the VRIDs on the backup ACOS device.

f. Click Update.

8. Go to the vBlade device and force failover in order to take over the vMaster role:

a. Navigate to System >> aVCS >> Settings.

b. Open the Actions section, then enter 255 in the vMaster Take Over field.

c. Click OK.

During failover, the vBlade becomes the vMaster. vMaster becomes a vBlade device. The new vMaster will detect that the vBlade device is running old software, and it will upgrade the vBlade. As part of the upgrade, the vMaster will reboot the vBlade.

9. Optionally, force failover back to the original vMaster.

10. Take over the vMaster role:

a. Navigate to System >> aVCS >> Settings.

b. Open the Actions section, then enter 255 in the vMaster Take Over field.

c. Click OK.

11. For each VRID, repeat step 7 to reset the VRRP-A priority to its previous value:

Staggered Upgrade (no VRRP-A)

To perform a staggered upgrade in an environment where VRRP-A is not actively configured and running, perform the same steps as in “Staggered Upgrade (with VRRP-A)” on page 46 but skip step 7 and step 11.

Use the CLI to Upgrade an aVCS ChassisThis section describes how to upgrade an aVCS chassis using the CLI.

Backing Up the System

Before you begin the upgrade, it is recommended to back up the system. A full system backup includes the startup-config file, aFleX files, and SSL certificates and keys.

To do so, use the backup system command. For example:

ACOS(config)#backup system scp://exampleuser@examplehost/dir1/dir2/




Full Chassis Upgrade (with or without VRRP-A)

NOTE: This procedure requires a reboot of each ACOS device in the virtual chassis. In this case,the vMaster sends the new image to all vBlades and reboots all devices in the virtualchassis, including itself. This can take several minutes, during which a service outage willoccur.

Perform the following steps on the vMaster.

1. Save the startup-config to a new configuration profile:

ACOS(config)#write memory all-partitions

2. Upload the new image onto the vMaster and reboot. For example:

ACOS(config)#upgrade hd pri scp://exampleuser@examplehost/dir1/dir2/upgrade_file.upg

The CLI displays a prompt asking you whether to reboot. Enter yes to reboot now, or no if you prefer to reboot later. The new image takes affect only after a reboot.

3. To verify the upgrade after the ACOS device reboots, use the show version command.

Staggered Upgrade (with VRRP-A)

In this procedure, the vBlades are upgraded first, followed by the vMaster.

NOTE: These steps assume that when you begin the procedure, the vMaster is also the activeVRRP-A device for all VRIDs.

Perform step 1 through step 5 on the Current vMaster (ACOS1)

1. On the vMaster, verify the currently running software version and the image area currently in use.

ACOS1-Active-vMaster[1/1]#show bootimage

(* = Default)

Version

-----------------------------------------------

Hard Disk primary 4.0.3.25 (*)

Hard Disk secondary 2.6.1-GR1-P7.51

Compact Flash primary 2.6.1-GR1-P7.51 (*)

ACOS1-Active-vMaster[1/1]#show version

AX Series Advanced Traffic Manager AX5100

Copyright 2007-2015 by A10 Networks, Inc. All A10 Networks products are

protected by one or more of the following US paten ts:

8918857, 8914871, 8904512, 8897154, 8868765, 8849938, 8 826372, 8813180

8782751, 8782221, 8595819, 8595791, 8595383, 8584199, 8464333, 8423676

8387128, 8332925, 8312507, 8291487, 8266235, 8151322, 8079077, 7979585




7804956, 7716378, 7665138, 7647635, 7627672, 7596695, 7577833, 7552126

7392241, 7236491, 7139267, 6748084, 6658114, 6535516, 6363075, 6324286

5931914, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695, 7287084

6970933, 6473802, 6374300

64-bit Advanced Core OS (ACOS) version 4.0.3, build 25 (Oct-25-2015,21:22)

Booted from Hard Disk primary image

Serial Number: AX51051110360007

Firmware version: 0.26

aFleX version: 2.0.0

aXAPI version: 3.0

Hard Disk primary image (default) version 4.0.3, build 25

Hard Disk secondary image version 2.6.1-GR1-P7, build 51

Compact Flash primary image (default) version 2.6.1-GR1-P7, build 51

Last configuration saved at Oct-26-2015, 05:58

Build Type: Internal

Hardware: 16 CPUs(Stepping 5), Single 62G Hard disk

Memory 24685 Mbyte, Free Memory 9878 Mbyte

Hardware Manufacturing Code: 103600

Current time is Oct-30-2015, 16:13

The system has been up 4 days, 10 hours, 14 minutes

All devices in the virtual chassis use the same image area (primary or secondary). For example, if the software running on the vMaster is in the primary image area, all the vBlades also are running their software from the primary image areas on those devices.

2. Save the configuration. Be sure to use the all-partitions option if you have RBA or L3V partitions configured.

ACOS1-Active-vMaster[1/1]#write memory all-partitions

Building configuration...

Write configuration to primary default startup-config

[OK]

3. Upgrade the vBlade, by loading the new software image into the image area currently in use by the vBlade:

ACOS1-Active-vMaster[1/1](config)#upgrade hd pri scp://exampleuser@examplehost/dir1/dir2/upgrade_file.upg staggered-upgrade-mode Device 2

This step reboots the vBlade. The vMaster continues to operate.

4. For each VRID that is active on the device, force failover from the vMaster to the vBlade by setting the priority to 255. For example:

ACOS1-Active-vMaster[1/1](config)#vrrp-a vrid 2

ACOS1-Active-vMaster[1/1](config:2-vrid:2)#priority 255 device 2

NOTE: Do not use the vrrp-a force-self-standby command.




5. Validate that the load-balanced services are working. (The show commands or other techniques depend on your deployment. The show slb virtual-server command is useful in almost any deployment.)

Perform the Following Step on the vBlade (ACOS2)

6. On the vBlade that is running the new software image, enter the vcs vmaster-take-over command to force the vBlade to take over the vMaster role:

ACOS2-Active-vBlade[1/2]#vcs vmaster-take-over 255

During failover, the vBlade becomes the vMaster, and the vMaster becomes a vBlade. The new vMaster will detect that the vBlade device is running old software, and it will upgrade the vBlade. As part of this upgrade, the vMaster will reboot the vBlade.

Optional: Perform the Following Step on the Original vMaster (ACOS1)

7. Optionally, force failover back to the original vMaster. Perform the following step on the new vBlade (former vMaster) to resume the vMaster role and again become the active device for the VRID:

a. At the Privileged EXEC level, use the vcs vmaster-take-over command to take over the vMaster role:

ACOS1-Active-vBlade[1/1]#vcs vmaster-take-over 255

b. For each VRID, use the following commands to reset the VRRP-A priority to its previous value. For example:

ACOS1-Active-vMaster[1/1](config)#vrrp-a vrid 2

ACOS1-Active-vMaster[1/1](config:2-vrid:2)#priority 100 device 2

Staggered Upgrade (no VRRP-A)

To perform a staggered upgrade in an environment where VRRP-A is not actively configured and running, perform the same steps as in “Staggered Upgrade (with VRRP-A)” on page 48 but skip step 4 and step b.

| Document No.: 403-P1-REL-001 - 2/5/2016


Document No.: 403-P1-REL-001 | 2/5/2016

5

a10 thunder series and ax series - blcr thunder series and ax series—release notes contents a10...

Documents