A10 AX Training Booklet 032010

Contents

Training Labs ................................................................................................................................ 3

Lab #1 – Load Balancing Basics ............................................................................................... 3

Managing your AX ................................................................................................................. 3

Adding Servers to AX ............................................................................................................ 4

Adding Service Ports ............................................................................................................. 6

Adding A Service Group ........................................................................................................ 7

Configuring IP NAT Pools...................................................................................................... 8

Creating a Virtual Server and IP (VIP)................................................................................... 9

Lab #2 – Health Monitors ........................................................................................................ 12

Creating A Health Monitor ................................................................................................... 12

Using The Health Monitor .................................................................................................... 13

Health Monitor Failures & Service Down ............................................................................. 15

Server Versus Service Port Status ...................................................................................... 17

More HTTP Health Monitor Options .................................................................................... 17

Lab #3 – Templates................................................................................................................. 19

Creating Additional Service Groups..................................................................................... 20

Creating a HTTP Template for URL Switching .................................................................... 20

Source IP Persistence (Switching) ...................................................................................... 25

Cookie Persistence (Switching) ........................................................................................... 28

Lab #4 – SSL Acceleration......................................................................................................30

Importing Certificates and Keys........................................................................................... 30

Creating a Client SSL Template .......................................................................................... 30

Using the Client SSL Template............................................................................................ 31

Lab #5 – Policy Based Server Load Balancing (PBSLB) ........................................................33

Importing the Black/White List ............................................................................................. 34

Using a Black/White List with Policies ................................................................................. 34

More Policy Actions ............................................................................................................. 36

Lab #6 – aFlex......................................................................................................................... 37

Import the aFlex Scripts.......................................................................................................37

Use aFlex on Virtual Service ............................................................................................... 39

aFlex Scripting – Part 2 .......................................................................................................42

A10 Networks Confidential Information

aFlex Scripting – Part 2 .......................................................................................................42

Lab #7 – Compression ............................................................................................................ 45

Creating an template with compression enabled................................................................. 45

Binding the template to your virtual service port.................................................................. 47

Controlling the compression level....................................................................................... 49

Lab #8 – RAM Caching ...........................................................................................................51

Creating a RAM cache template.......................................................................................... 51

Binding the RAM cache template to your virtual service port .............................................. 51

Changing the default behavior – Caching policies............................................................... 55

Lab #9– System Configuration Practice .................................................................................. 55

Changing boot partition during bootup................................................................................. 57

AX Debugging lab................................................................................................................ 58

Dump SSL encrypted data................................................................................................... 64

Things to do before calling tech support.............................................................................. 70


3

Training Labs

Lab #1 – Load Balancing Basics

In this lab you will configure your AX to load balance traffic in one-arm mode using source NAT.

Clients, servers, and AX units are all on the same IP subnet.

Managing your AX

Your AX unit has been pre-configured with your assigned IP address. Each student has also

been assigned an IP address for their laptop client (refer to the PowerPoint presentation or ask

your instructor).

Configure your laptop client with the appropriate IP address and access the AX’s CLI using

SSH/Telnet from your laptop. Use the default login name “admin” and default password “a10” to

log in.

login as: admin Using keyboard-interactive authentication. Password: Last login: Mon Feb 16 14:26:56 2009 from 192.168.18.11 [type ? for help] AX>


4

After successful login, enter privileged mode using the “enable” command. By default, there is

no password assigned so simply hit the “Enter” key when prompted for the password.

AX>enable

Password:

AX#

You are now ready to start configuring your AX unit. At any time, you can use the question mark

(?) in the CLI to get help text, and the Tab key for command auto-completion.

GUI Example:

Figure 1: Login Screen

Adding Servers to AX

There are two web servers on the classroom’s lab network with IP addresses 192.168.18.201

and 192.168.18.202.

In order to load balance traffic to these servers, you must first add them to the AX. To configure

the AX, you must enter config mode. Once in config mode, add the first server using the

commands show below.

AX#config

AX(config)#slb server web1 192.168.18.201

AX(config-real server)#


5

The above commands adds the server with IP address 192.168.18.201 as a SLB server named

“web1” on AX. Now add the second server with the name “web2”.

You can confirm that your servers have been added using the “show slb server” command.

AX(config-real server)#show slb server

Total Number of Services configured: 0

Current = Current Connections, Total = Total Connections

Req-pkt = Request packets, Resp-pkt = Response packets

Service Current Total Req-pkt Resp-pkt State

-----------------------------------------------------------------------------

---

web1: Total 0 0 0 0 Up


GUI Example:

Figure 2: Config > Service > SLB > Server > Add


6

Figure 3 Config > Service > SLB > Server (2 servers Added)

Adding Service Ports

Now that the servers have been added, the next step is to tell AX which service ports are

available for load balancing. The command below shows how to add TCP port 80 as a service

port.

AX(config)#slb server web1

AX(config-real server)#port 80 tcp

AX(config-real server-node port)#

Now add TCP port 80 as a service port for the server “web2” as well.

You can confirm the service ports have been added using the “show slb server” command

again.

AX(config-real server-node port)#show slb server

Total Number of Services configured: 2 Current = Current Connections, Total = Total Connections Req-pkt = Request packets, Resp-pkt = Response packets Service Current Total Req-pkt Resp-pkt State -------------------------------------------------------------------------------- web1:80/tcp 0 0 0 0 Up web1: Total 0 0 0 0 Up web2:80/tcp 0 0 0 0 Up web2: Total 0 0 0 0 Up


7

GUI Example:

Figure 4: Config > Service > SLB > Server (Add the Port Details)

Adding A Service Group

Now that the servers and service ports have been added, you need to assign them to a service

group that will be used for load balancing.

Create a new TCP service group named “web_group” and add the two web servers’ service port

80 as members of the group using the commands below.

AX(config)#slb service-group web_group tcp

AX(config-slb svc group)#member web1:80


Confirm the service group configuration using the “show slb service-group” command.

AX(config-slb svc group)#show slb service-group

Total Number of Service Groups configured: 1


Req-p = Request packets, Resp-p = Response packets

Service Group Name

Service Current Total Req-p Resp-p

-----------------------------------------------------------------------

*web_group State: Up


8

web1:80 0 0 0 0

web2:80 0 0 0 0

GUI Example:

Figure 5: Config > Service > SLB > Server Group (Add the two servers in the Service Group)

Configuring IP NAT Pools

Source NAT is required for one-arm mode load balancing, so you will need to add an IP NAT

pool to the AX using the IP address assigned by your instructor.

Add an IP NAT pool named “source_nat1” using the commands below and replace the IP

address with your assigned IP. For the purposes of this lab, the start and end addresses are the

same (i.e. an IP NAT pool consisting of a single IP address).

AX(config)#ip nat pool source_nat1 192.168.18.151 192.168.18.151 netmask /24

Confirm your configured IP NAT pool using the “show ip nat pool” command.

AX(config)#show ip nat pool

Total IP NAT Pools: 1

Pool Name Start Address End Address Mask Gateway HA Group

-----------------------------------------------------------------------------------

source_nat1 192.168.18.151 192.168.18.151 /24 0.0.0.0 0


9

You now have all the pieces required for one-arm mode load balancing on your AX. The next

step is to configure a virtual server IP and virtual service port.

GUI Example:

Figure 6: Config > Service > IP Source NAT > Add

Creating a Virtual Server and IP (VIP)

Now it’s time to create a virtual server with an IP address (VIP) that will be used by clients to

access the load balanced service.

Use the commands below to create a virtual server named “main_vip” and replace the IP with

the address assigned by your instructor.

AX(config)#slb virtual-server main_vip 192.168.18.101

Once the VIP is configured, you can add a virtual service port for load balancing. In this lab, we

will configure a virtual HTTP web service load balanced across our two servers.

Use the commands below to create the virtual HTTP service port that will use the service group

“web_group” and IP NAT pool “source_nat1” for source NAT load balancing.

AX(config-slb vserver)#port 80 http

AX(config-slb vserver-vport)#service-group web_group

AX(config-slb vserver-vport)#source-nat pool source_nat1


10

Confirm your virtual configuration using the command “show slb virtual-server”.

AX(config-slb vserver-vport)#show slb virtual-server

Total Number of Virtual Services configured: 1

Virtual Server Name IP Current Total Request Response

Service-Group Service connection connection packets packets

--------------------------------------------------------------------------------

*main_vip 192.168.18.101

port 80 http

web_group 80/http 0 0 0 0

Total received conn attempts on this port: 0

Congratulations! You are now ready to send traffic to your AX. Use a web browser on your

laptop and access your VIP. Browse the test website and watch your traffic get load balanced

across the two web servers. Use the “show” commands you tried in the above steps to take a

look at the statistics.

GUI Example:

Figure 7: Config > Service > SLB > Virtual Server


11

Figure 8: Config > Service > SLB > Virtual Server (Adding Port )

Figure 9: Config > Service > SLB > Virtual Server (Port Added)


12

Lab #2 – Health Monitors

In this lab you will create and use different health monitors.

Creating A Health Monitor

In the previous lab, when you added servers and service ports to AX it also configured default

health monitors. The default health monitor for servers is ICMP. For TCP service ports, AX uses

a default TCP health monitor (simple 3-way TCP handshake).

AX#show slb server config


H-check = Health check Max conn = Max. Connection Wgt = Weight

Service Address H-check Status Max conn Wgt

-------------------------------------------------------------------------------

web1:80/tcp 192.168.18.201 Default Enable 1000000 1

web1 192.168.18.201 Default Enable 1000000 1

web2:80/tcp 192.168.18.202 Default Enable 1000000 1

web2 192.168.18.202 Default Enable 1000000 1

Now you will configure a HTTP health monitor for the servers’ web service port.

Create a health monitor named “http-default” that uses the HTTP health check method with the

following commands.

AX(config)#health monitor http-default AX(config-health:monitor)#method http

This creates a health monitor that uses the default parameters for the HTTP method. You can

view the details using the “show health monitor http-default” command. AX(config-health:monitor)#show health monitor http-default Monitor Name: http-default Interval: 30 Max Retry: 3 Timeout: 5 Up-Retry: 1 Status: Idle Method: HTTP Attribute: port=80 url="GET /" GUI Example:


13

Figure 10: Config > Service > Health Monitor > Add

Using The Health Monitor

Now that you have created a health monitor, it needs to be used. The following commands will

associate the health monitor you just created to the TCP 80 service port of server “web1”. AX(config)#slb server web1 AX(config-real server)#port 80 tcp AX(config-real server-node port)#health-check http-default

GUI Example:


14

Figure 11: Config > Service > SLB > Server > (web1)

Check that the health monitor is now in use with the below commands. AX(config-real server-node port)#show health monitor Idle = Not used by any server In use = Used by server Monitor Name Interval Retries Timeout Up-Retries Method Status ------------------------------------------------------------------------- ping 30 3 5 1 ICMP In use http-default 30 3 5 1 HTTP In use

AX(config-real server-node port)#show slb server config Total Number of Services configured: 3 H-check = Health check Max conn = Max. Connection Wgt = Weight Service Address H-check Status Max conn Wgt ------------------------------------------------------------------------------- web1:80/tcp 192.168.18.201 http-default Enable 1000000 1 web1 192.168.18.201 Default Enable 1000000 1 web2:80/tcp 192.168.18.202 Default Enable 1000000 1 web2 192.168.18.202 Default Enable 1000000 1

Since our web servers are running and there is a page available at the HTML root, this health

monitor will not change the server’s status (as seen below).


Total Number of Services configured: 2 Current = Current Connections, Total = Total Connections Req-pkt = Request packets, Resp-pkt = Response packets Service Current Total Req-pkt Resp-pkt State -------------------------------------------------------------------------------- web1:80/tcp 0 0 0 0 Up


15

web1: Total 0 0 0 0 Up web2:80/tcp 0 0 0 0 Up web2: Total 0 0 0 0 Up

Let’s create another health monitor to demonstrate how health check failures will bring a

server/service port status down.

Health Monitor Failures & Service Down

Create another health monitor named “http-hm”. Explicitly configure a shorter interval and less

retries in order to see the service status change quicker.

AX(config)#health monitor http-hm interval 5 retry 1

AX(config-health:monitor)#method http url HEAD /404.html

AX(config-health:monitor)#show health monitor http-hm

Monitor Name: http-hm

Interval: 5

Max Retry: 1

Timeout: 5

Up-Retry: 1

Status: Idle

Method: HTTP

Attribute: port=80

url="HEAD /404.html"

GUI Example:


16

Figure 12: Config > Service > Health Monitor

Since this page does not exist on the web servers in our classroom lab, the health monitor will return failure. Use it on server “web1” and observe what happens.

AX(config)#slb server web1 AX(config-real server)#port 80 tcp AX(config-real server-node port)#health-check http-hm

After several seconds, the service port’s status will become down.


Total Number of Services configured: 2 Current = Current Connections, Total = Total Connections Req-pkt = Request packets, Resp-pkt = Response packets Service Current Total Req-pkt Resp-pkt State -------------------------------------------------------------------------------- web1:80/tcp 0 0 0 0 Down web1: Total 0 0 0 0 Up web2:80/tcp 0 0 0 0 Up web2: Total 0 0 0 0 Up

GUI Example:


17

Figure 13: Monitor > Service > SLB > Server

Try sending some requests to the AX VIP using your laptop’s web browser. You will notice that

the requests are no longer load balanced to server “web1” because its service port is down.

Server Versus Service Port Status

You may have noticed that service port 80 TCP on “web1” is marked down, but the server itself

is still up. This is because the server-level health-check is still successful (i.e. the default ICMP

ping health-check).

A health-check failure at the service port level will bring that particular service port down.

However, a failure at the server level will bring all service ports on that server down (even if the

service port health-check is successful).

More HTTP Health Monitor Options

Now let’s try a few more options available when using the HTTP health monitor method.

Modify the “http-hm” health monitor to send a HEAD request for the “axseries.html” page.

AX(config)#health monitor http-hm

AX(config-health:monitor)#method http url HEAD /axseries.html

Since the page “axseries.html” exists on the server, the health-check should be successful and

the service port should come back up.




18




-----------------------------------------------------------------------------

---

web1:80/tcp 0 0 0 0 Up


web2:80/tcp 0 0 0 0 Up


Your requests to the VIP should be load balanced to both web servers again.

Now let’s try using the “expect” option with a HTTP GET request. Modify the “http-hm” health

monitor to send an HTTP GET request for the “axseries.html” page and include an expect

option for the text “abcdefg”.


AX(config-health:monitor)#method http url GET /axseries.html expect abcdefg

Since “abcdefg” does not appear anywhere on the requested page, your service port should go

down again.

AX(config-health:monitor)#show slb server





-----------------------------------------------------------------------------

---

web1:80/tcp 0 0 0 0 Down


web2:80/tcp 0 0 0 0 Up


Now modify the health monitor to expect a string that does appear in the page. Change the

expect option to look for the string “ACOS”.


AX(config-health:monitor)#method http url GET /axseries.html expect ACOS

The service port should come back up once again.

AX(config-health:monitor)#show slb server



19




-----------------------------------------------------------------------------

---

web1:80/tcp 0 0 0 0 Up


web2:80/tcp 0 0 0 0 Up


Congratulations! You now have a solid understanding of how health monitors are created and

used. If you have time, explore the other options and health monitor methods available.

Lab #3 – Templates

In this lab you will create HTTP and Persist templates that will be used to change the way AX

load balances incoming requests.


20

NOTE: Your web browser may automatically cache pages you have already viewed. When

going through the exercises in this lab you may need to disable/clear the browser cache in order

for subsequent requests to actually go to AX. Your browser may also have a hot-key for

bypassing the local browser cache when performing a page refresh (e.g. On Firefox, you can

hold the Shift key when clicking Refresh).

Creating Additional Service Groups

To demonstrate the URL switching feature of HTTP templates, we will create two additional

service groups; one for “web1” and the other for “web2”.

AX(config)#slb service-group web_html tcp

AX(config-slb svc group)#mem web1:80

AX(config-slb svc group)#slb service-group web_images tcp

AX(config-slb svc group)#mem web2:80

You should now have a total of three service groups as shown below.

AX(config-slb svc group)#show slb service-group




Service Group Name


-----------------------------------------------------------------------

*web_group State: All Up

web1:80 0 0 0 0

web2:80 0 0 0 0

*web_html State: All Up

web1:80 0 0 0 0

*web_images State: All Up

web2:80 0 0 0 0

Creating a HTTP Template for URL Switching

Create a HTTP template named “url-switch” using the following command.

AX(config)#slb template http url-switch

The “url-switching” option allows you to configure rules used to select different service groups

based on the URL requested.

AX(config-http)#url-switching ?

contains Select service group if URL string contains another string

ends-with Select service group if URL string ends with another string

match Deprecated. Same as contains

starts-with Select service group if URL string starts with another string


21

Configure the following URL switching rules.

AX(config-http)#url-switching ends-with .html service-group web_html

AX(config-http)#url-switching ends-with .jpg service-group web_images

AX(config-http)#url-switching ends-with .gif service-group web_images

AX(config-http)#show slb template http url-switch

slb template http url-switch

url-switching ends-with .html service-group web_html

url-switching ends-with .jpg service-group web_images

url-switching ends-with .gif service-group web_images

GUI Example:

Figure 14: Config > Service > Templates > Application > Http (Adding Http template)


22

Figure 15: Config > Service > Templates > Application > http ( Application Switching )

Now that you have created your HTTP template, let’s use it on our virtual server to see it in

action.

AX(config-http)#slb virtual-server main_vip


AX(config-slb vserver-vport)#template http url-switch

GUI Example:


23

Figure 16: Config > Service > SLB > Virtual Server > vip0, Port 80 (Adding http template)

Use your laptop’s web browser to go to your virtual server IP address (e.g.

http://192.168.1.101/)

You can confirm which service group was used using the “show slb service-group” command on

AX. Notice that the first request (i.e. HTTP GET “/”) uses the original service group “web_group”

because it does not match any of our URL switching rules. But the subsequent requests for the

images on the front page are sent to the service group “web_images”.

AX#show slb service-group




Service Group Name


-----------------------------------------------------------------------


web1:80 0 0 0 0

web2:80 0 1 1 4


web1:80 0 0 0 0


web2:80 0 2 2 8

GUI Example:


24

Figure 17: Monitor > Service > SLB >Service Group

Figure 18: Monitor > Service > SLB > Service Group (Subsequent Reqs goes to web-images)

You can also use the “show slb http debug” command to see which switching method was used.


25

AX#show slb http debug

DP0 DP1 DP2 DP3

Total

------------------------------------------------------------------

Cookie switching 0 0 0 0 0

Cookie switching (succ) 0 0 0 0 0

aFleX switching 0 0 0 0 0

aFleX switching (succ) 0 0 0 0 0

URL switching 0 1 1 0 2

URL switching (succ) 0 1 1 0 2

Host switching 0 0 0 0 0

Host switching (succ) 0 0 0 0 0

Normal LB switching 0 0 0 1 1

Normal LB switch. (succ) 0 0 0 1 1

Browse the simple test website by clicking the hyperlinks. You should see requests being sent

to the service group “web_html”.

Now we will move on to a different type of template that modifies the way AX selects a server

for load balancing; persist templates.

Source IP Persistence (Switching)

One type of persist template is the source-ip persist template. When this type of template is

used on a virtual service port, all connections from the same source IP (in this lab, your laptop’s

IP) will persist (“stick”) to the server selected on the first request.

Let’s create this new template and name it “src-ip-persist”.

AX(config)#slb template persist source-ip src-ip-persist

AX(config-source ip persist)#

GUI Example:


26

Figure 19: Config > Service > Templates > Persistent > Source-Ip- Persistent

Now remove the HTTP template and apply the source IP persist template to your virtual port.

AX(config)#slb virtual-server main_vip


AX(config-slb vserver-vport)#no template http url-switch

AX(config-slb vserver-vport)#template persist source-ip src-ip-persist

AX(config-slb vserver-vport)#show run | section main_vip

slb virtual-server main_vip 192.168.18.101

port 80 http

source-nat pool source_nat1

service-group web_group

template persist source-ip src-ip-persist

GUI Example:


27


Use your laptop to browse our simple test web site again. You should notice that all the

requests are sent to one of the web servers.

To view which source IP’s are currently persisting to a server, use the “show session persist”

command.

AX#show session persist

Prot Forward Source Forward Dest Reverse Source Age

------------------------------------------------------------------------

src 192.168.18.11 192.168.18.101:80 192.168.18.201 300

The “Age” value shows how long AX will continue to persist to the server selected. The age will

be refreshed each time the same source IP sends a request to the virtual port. When the

persistent session ages out, AX will perform server selection again.

The default value is 300 seconds (5 minutes). This value can be modified as one of the template

options.

The “clear session persist” command will clear all persistent sessions. Try using this command

and then browse the website again.


28

Cookie Persistence (Switching)

Cookie persist templates can be used on HTTP and HTTPS virtual service ports. When used,

AX inserts a cookie on the client web. When AX receives the cookie on subsequent requests, it

uses the cookie value to persist to the server selected in the first request.

Create a cookie persist template with the following commands.

AX(config)#slb template persist cookie cookie-persist

AX(config-cookie persist)#name My-AX-Cookie

AX(config-cookie persist)#expire 1800

GUI Example:

Figure 21: Config > Service > Templates > Persistent > Cookie Persistent

The “name” option allows you to specify a custom cookie name to be used. The default cookie

name will be something similar to “sto-id-20480”.

The “expire” option sets the expiration of the cookie. In this example, the cookie will expire 1800

seconds (30 minutes) after the browser first receives it from AX. Setting a value of 0 seconds

means the cookie will expire immediately after the current session is over (i.e. a session

cookie). If the option is not configured the default expiration is 10 years.

Remove the source IP persist template and apply the cookie persist template with the

commands below.


29



AX(config-slb vserver-vport)#no template persist source-ip src-ip-persist

AX(config-slb vserver-vport)#template persist cookie cookie-persist

GUI Example:


Visit the test website again and check your browser’s cookies. You should see the cookie

inserted by AX. You should also notice that once again your requests are persisting to the same

server.

You can use the “show slb http debug” command again to see what type of switching is being

used. This time, you should see the counters for “Cookie switching” being incremented.

AX(config-cookie persist)#show slb http debug

DP0 DP1 DP2 DP3 Total

------------------------------------------------------------------

Cookie switching 0 0 1 1 2

Cookie switching (succ) 0 0 1 1 2

Try clearing your browser’s cookies and visit the site again to see a new server selected.


30

Lab #4 – SSL Acceleration

In this lab we will import a test certificate and key onto AX, and create both a client and a server

side SSL template to be used with our virtual HTTPS service.

Importing Certificates and Keys

AX supports importing certificates and keys using TFTP, FTP, SCP, or RCP protocols. The web

UI also supports file upload via web browser.

For the purposes of this lab, the certificate and key files have been placed on server “web1”

(192.168.1.201) and we will be importing them via SCP using the following commands. The

login and password are both “a10”.

AX(config)#import ssl-cert my_cert scp://[email protected]/home/a10/cert.pem

Password []?

AX(config)#import ssl-key my_key scp://[email protected]/home/a10/key.pem

Password []?

You can view the certificates and keys that have been imported to AX using the command

below.

AX(config)#show slb ssl cert

name: my_cert

type: certificate

Common Name: 1024.bit

Organization: Internet Widgits Pty Ltd

Expiration: Feb 21 00:55:42 2003 GMT

Issuer: CA

name: my_key

type: key

key size: 1024

Now that you have successfully imported the certificate and key to AX, we are ready to create

the templates to use them.

Creating a Client SSL Template

Create a new client SSL template named “cssl” that uses the imported certificate and key with

the following commands.

AX(config)#slb template client-ssl cssl

AX(config-client ssl)#cert my_cert

AX(config-client ssl)#key my_key

GUI Example:


31

Figure 23: Config > Service > Template > Client SSL

Using the Client SSL Template

In order to use the newly created template for SSL acceleration, we need to first configure our

virtual server with a HTTPS service port.


AX(config-slb vserver)#port 443 https

Add the client SSL template to the virtual port.

AX(config-slb vserver-vport)#template client-ssl cssl

GUI Example:


32

Figure 24: Config > Service > SLB > Virtual Server > Port > 443

Since AX will be performing SSL acceleration (handshake, encryption, and decryption) with the

clients, our backend connections to the servers can be made unencrypted through port 80.

Use the service group “web_group” you configured previously on the HTTPS virtual service port.

We will also require the previously configured source NAT pool “source_nat1”.

AX(config-slb vserver-vport)#service-group web_group

AX(config-slb vserver-vport)#source-nat pool source_nat1

Your virtual server configuration should appear as shown below.

AX#show run | section main_vip


port 80 http



template persist cookie cookie-persist

port 443 https



template client-ssl cssl

You are now ready to test AX’s SSL acceleration. Use your web browser to hit the VIP using the

HTTPS protocol (e.g. https://192.168.18.101). Your browser will most likely give you a warning


33

message because we are using a self-signed test certificate and key. Just accept the certificate

and continue.

You can check your SSL statistics using the command below.

AX#show slb ssl stat

Number of SSL modules: 1

SSL module 1

number of enabled crypto engines: 12

number of available crypto engines: 12

Current SSL connections: 0

Total SSL connections: 10

Failed SSL handshakes: 0

Failed crypto operations: 0

SSL memory usage: 51840 bytes

SSL fail CA verification 0

HW Context Memory alloc failed 0

HW ring full 0

Record too big 0

GUI Example:

Figure 25: Monitor > Service > Application > SSL

Lab #5 – Policy Based Server Load Balancing (PBSLB)

In this lab we will be using PBSLB to control how clients access our website.


34

Importing the Black/White List

For the purposes of this lab, a black/white list has been created in advance containing the IP

addresses of all the student’s laptops and placed on server “web1”. IP addresses ending with

an odd number are in group 1 and even numbers are in group 2 (see below).

192.168.18.11/32 1

192.168.18.12/32 2

192.168.18.13/32 1

192.168.18.14/32 2

192.168.18.15/32 1

192.168.18.16/32 2

192.168.18.17/32 1

192.168.18.18/32 2

192.168.18.19/32 1

192.168.18.20/32 2

Import the black/white list using the following command. The login and password are the same

as the previous lab, both are “a10”.

AX(config)#import bw-list odd-even

scp://[email protected]/home/a10/odd-even

Password []?

Importing ... Done.

The “show bw-list” command can be used to show the lists currently on AX. You should see the

list you just imported.

AX(config)#show bw-list

Name Url Size(Byte) Date

--------------------------------------------------------------------------------

odd-even Local 144 Feb/19 12:14:32

Now you are ready to define some policies to use with this list.

Using a Black/White List with Policies

To use the black/white list you need to configure policies on the virtual service port. Let’s start

by creating a policy that determines which service-group is used for load balancing on our

website.

In Lab #3 (Templates) you created two service groups named “web_html” and “web_images”.

We will be reusing these groups in this lab. You may remember that each service group

contains only one of our web servers (web_html = web1, web_images = web2).


35

We will configure policies so that requests from IP addresses belonging to group 1 (i.e. student

IP addresses ending in an odd number) are sent to server “web1” only, and similarly group 2 will

be sent to “web2” only.

First, remove any other templates that may have been left over from previous labs on your

HTTP virtual service port. Simply prefix the command with the keyword “no”. The example

below shows how to remove the cookie persist template we configured in our previous lab.



AX(config-slb vserver-vport)#no template persist cookie cookie-persist

Your virtual server configuration should appear as below.



port 80 http



port 443 https




Now add the black/white list to our virtual HTTP port using the following command.

AX(config-slb vserver-vport)#pbslb bw-list odd-even

Also configure the policies that will select the appropriate service group based on the group ID

in the black/white list.

AX(config-slb vserver-vport)#pbslb id 1 service web_html

AX(config-slb vserver-vport)#pbslb id 2 service web_images

You virtual server configuration should appear as below.



port 80 http



pbslb bw-list odd-even

pbslb id 1 service web_html

pbslb id 2 service web_images

port 443 https


36




Browse the website with your partner. You should notice that all of your requests are sent to one

of the servers, and your partner’s requests are sent to the other server.

Try the “show pbslb” command to view the PBSLB statistics. Sample output is shown below.

AX#show pbslb

Total number of PBSLB configured: 1

Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)

--------------------------------------------------------------------------------

main_vip 80 odd-even 1 6 0 0

2 7 0 0

Also check that the policy is working. You and your partner’s requests should have been sent to

the “web_html” and “web_images” service groups.

AX#show slb service-group




Service Group Name


-----------------------------------------------------------------------


web1:80 0 0 0 0

web2:80 0 0 0 0


web1:80 0 6 23 42


web2:80 0 7 49 71

More Policy Actions

Now let’s try changing the policies on our virtual service to drop and reset connections based on

group ID. Use the commands shown below to reset connections from group 1 and drop (silently)

connections from group 2.



AX(config-slb vserver-vport)#pbslb id 1 reset

Now try browsing the website again. Students with IP addresses belonging to group 1 should no

longer be able to fetch pages. Below is a sample screenshot from Firefox.


37

Group 1- Connection Reset

Using the “show pbslb” command again, you can see the “Reset” counter for group ID 1

increment.

AX#show pbslb

Total number of PBSLB configured: 1

Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)

--------------------------------------------------------------------------------

main_vip 80 odd-even 1 6 3 0

2 7 0 0

Lab #6 – aFleX

In this lab you will use different aFleX scripts to change how AX load balances traffic to our test

website. For the purposes of this lab, the aFleX scripts have been created in advance and your

instructor will go over each in detail during the lab.

Import the aFleX Scripts

The aFleX scripts are stored on server “web1” again. Import the first script named “a1” using the

commands below.


38

AX(config)#import aflex a1 scp://[email protected]/home/a10/a1

Password []?

Importing ... Done.

Use the “show aflex” command to display the aFleX scripts that have been imported onto the

AX.

AX(config)#show aflex

Total aFleX number: 1

Max aFleX file size: 32K

Name Syntax Virtual port

------------------------------------------------------------

a1 Check No

Providing the aFleX name displays more details and the content of the aFleX script. Try it now

with the “a1” aFleX script.

AX#show aflex a1

Name: a1

Syntax: Check

Virtual port: No

Content:

when CLIENT_ACCEPTED {

pool web_html

}

This is a simple aFleX script that causes AX to always load balance to the service group

“web_html” .

GUI Example:


39

Figure 26: Config > Service > Aflex > Create (script is created here)

Use aFleX on Virtual Service

You may still have the PBSLB policies on your virtual HTTP service port from the last lab.

AX(config)#show run | b virt


port 80 http



pbslb bw-list odd-even

pbslb id 1 reset

pbslb id 2 drop

port 443 https




!

You should remove the PBSLB policies using the commands below.

AX(config)#slb virt main_vip


AX(config-slb vserver-vport)#no pbslb bw-list odd-even

You virtual server’s configuration should appear as shown below.

AX(config-slb vserver-vport)#show run | b virt


40


port 80 http



port 443 https




!

Now add the aFleX script “a1” to the virtual service port using the commands shown below.



AX(config-slb vserver-vport)#aflex a1

GUI Example:


The virtual server’s configuration should now have the aFleX script “a1” added to the virtual port

80 HTTP service port.



41


port 80 http



aflex a1

port 443 https




Notice that the “show aflex” command’s output has changed to show that the script “a1” is in

use (has been “bound” to a virtual port).

AX#show aflex

Total aFleX number: 1

Max aFleX file size: 32K

Name Syntax Virtual port

------------------------------------------------------------

a1 Check Bind

Use your web browser to visit our test website again. Use the “show slb service-group”

command to verify the aFleX script is working (i.e. all the requests are being sent to the

“web_html” service group).

AX#show slb service




Service Group Name


-----------------------------------------------------------------------


web1:80 0 0 0 0

web2:80 0 0 0 0


web1:80 0 4 8 16


web2:80 0 0 0 0

Try using the “show aflex <name>” command to see the number of times the aFleX script was

executed and check if there were any errors or aborts.

AX#show aflex a1

Name: a1

Syntax: Check


42

Virtual port: Bind

main_vip: 80

Statistics:

Event CLIENT_ACCEPTED execute 4 times (0 failures, 0 aborts)

Content:

when CLIENT_ACCEPTED {

pool web_html

}

GUI Example:

Figure 28: Monitor > Service > aFlex

aFleX Scripting – Part 2

We will now move onto our second aFleX script example. Import the script named “a2” onto AX.

The location is the same as the first example except the name of the file is “a2”.

Use the command shown below to view the details of the aFleX script.

AX(config)#show aflex a2

Name: a2

Syntax: Check

Virtual port: Bind

main_vip: 80

Statistics:

Event HTTP_REQUEST execute 7 times (0 failures, 0 aborts)

Content:

when HTTP_REQUEST {

if {[HTTP::uri] ends_with "html" } {


43

pool web_html

log "Redirect request [HTTP::uri] to HTML service group"

} elseif { ([HTTP::uri] ends_with "jpg") or ([HTTP::uri] ends_with "gif") } {

pool web_images

log "Redirect request [HTTP::uri] to IMAGES service group"

} else {

pool web_group

log "Redirect request [HTTP::uri] to WEB service group"

}

}

This aFleX script emulates the URL switching used in the HTTP template lab.

∞ The aFleX checks the request URI using the command “[HTTP::uri]”

∞ If the URI ends with “html” it selects the “web_html” service group.

∞ If the URI ends with “jpg” of “gif” it selects the “web_images” service group.

∞ For all other requests it selects the “web_html” service group.

In addition, we use the aFleX command “log” to log a message for each of the cases covered

above.

Remove the aFleX “a1” from the virtual port and add aFleX “a2”.


port 80 http



aflex a2

Browse the test website and use the “show slb service-group” and “show log” commands to

verify the aFleX is working. You should see log messages similar to those shown below using

the “show log” command.

AX(config)#show log

Log Buffer: 30000

Feb 19 2009 18:37:14 Info [AFLEX]:Redirect request /exseries-index-banner.gif to

IMAGES service group

Feb 19 2009 18:37:14 Info [AFLEX]:Redirect request /exseries.html to HTML service

group

Feb 19 2009 18:37:13 Info [AFLEX]:Redirect request /axseries-platform-advantage.jpg

to IMAGES service group

Feb 19 2009 18:37:13 Info [AFLEX]:Redirect request /axseries.html to HTML service

group

Feb 19 2009 18:37:00 Info [AFLEX]:Redirect request /index-mast-090126c.jpg to

IMAGES service group


44

Feb 19 2009 18:37:00 Info [AFLEX]:Redirect request /a10banner.jpg to IMAGES service

group

Feb 19 2009 18:37:00 Info [AFLEX]:Redirect request / to WEB service group

GUI Example:

Figure 29: Monitor > System > logging


45

Lab #7 – Compression

In this lab you will learn how to configure the compression feature on your AX system. You will

learn how to specify an HTTP template with compression, and how to bind it to a vport. You

will also learn how to use various compression options to control the behavior of your

compression.

You will learn the various show and clear commands associated with compression and how to

troubleshoot when you see problems.

Creating an template with compression enabled

Create a new HTTP template named “compress” using the following commands.

AX(config)#slb template http http-compress

AX(config-HTTP template)#compression enable

AX(config)#slb template http http-compress

AX(config-HTTP template)#compression enable

AX(config-HTTP template)#compression level 5

AX(config-HTTP template)#compression content-type image

AX(config-HTTP template)#compression exclude-content-type

application/zip

GUI Example:

Figure 30: Config > Service > Template > Http> Create


46

Figure 31 Config > Template > Application > http>

Figure 32: Http-Compress


47

Figure 33: Http Compress

Binding the template to your virtual service port

Now bind the HTTP template you have just created to the virtual service port that you want to

enable compression on. You can do so using the CLI commands given below.



AX(config-slb vserver-vport)#template http compress

The virtual server’s configuration should now have the HTTP template “compress” added to the

virtual port 80 HTTP service port.

You can verify this by doing the following command

AX #show runn | begin http

slb template http compress

compression enable

!s

!


port 80 http



template http compress

template cache ramcache


48

The server 192.168.18.193 has a large compressible file index.html. So make the following

changes in your config. Define a new server web3 as shown below and add it as the sole

member of the service group web_group.

AX(config)#slb server web3 192.168.18.193

AX(config-real server)#port 80 tcp

AX(config)#slb service-group web_group tcp


Note: you may have to do a no command on the 2 previous members you had defined earlier

before you can add the new members.

Now, use your laptop’s web browser to go to your virtual server IP address and fetch the file

index.html (e.g. http://192.168.18.101/)

Look at what has happened on the AX by doing a show command as shown below

AX#show slb http-proxy

Total

------------------------------------------------------------------

Curr Proxy Conns 2

Total Proxy Conns 2

HTTP requests 2

HTTP requests(succ) 2

No proxy error 0

Client RST 1

Server RST 0

No tuple error 0

Parse req fail 0

Server selection fail 0

Fwd req fail 0

Fwd req data fail 0

Req retransmit 0

Req pkt out-of-order 0

Server reselection 0

Server premature close 0

Server conn made 2

Source NAT failure 0

Tot data before compress 254583

Tot data after compress 102690

GUI Example:


49

Figure 33: Monitor > Service > Proxy

Controlling the compression level

Now, change the compression level from the default (level 1) to level 6. You do this as follows

AX(config)#slb template http compress

AX(config-HTTP)#compression level 6

Look at what has happened on the AX by doing a show command as shown below

AX(config-HTTP)#show slb http-proxy

Total

------------------------------------------------------------------

Curr Proxy Conns 2

Total Proxy Conns 2

HTTP requests 3


No proxy error 0

Client RST 1

Server RST 0

No tuple error 0

Parse req fail 0


Fwd req fail 0

Fwd req data fail 0

Req retransmit 0


50




Server conn made 2





51

Lab #8 – RAM Caching

In this lab you will learn how to configure the RAM caching features on your AX system. You

will learn how to specify a RAM Cache template, how to bind it to a vport. You will also learn

how to specify various caching policies to control the behavior of your web cache.

You will learn the various show and clear commands associated with RAM caching and how to

troubleshoot when you see problems.

Creating a RAM cache template

Create a new RAM cache template named “ramcache” with the following commands.

AX(config)#slb template cache ramcache

AX(config-ram caching)#age 300

AX(config-ram caching)#min-content-size 50

AX (config-ram caching)#exit

GUI Example:

Figure 34: Config > Template > Application > Ram Caching > Create

Here, we are changing the age of the cache in the template from the default 3600 seconds to

300 seconds. We are also specifying the minimum size of the content to be cache as 50bytes.

Binding the RAM cache template to your virtual service port

Now bind the template you have just created to the vport that you want to enable caching on.

You do using the commands shown below.


52

Your virtual server configuration should appear as below.



port 80 http



Now add the cache template ramcache to the virtual service port using the commands shown

below.



AX(config-slb vserver-vport)#template cache ramcache

The virtual server’s configuration should now have the cache template “ramcache” added to the

virtual port 80 HTTP service port.



port 80 http



template cache ramcache

Look at the current state of the cache on your virtual port by doing the show command given

below.

AX#show slb cache stats main_vip 80

main_vip:80

---------------------------------------------------------------

Cache Hits 0 |

Cache Misses 0 |

Memory Used 0 |Bytes Served 0

Entries Cached 0 |Entries Replaced 0

Entries Aged Out 0 |Entries Cleaned 0

Total Requests 0 |Cacheable Requests 0

No-cache Requests 0 |No-cache Responses 0

Revalidation Successes 0 |Revalidation Failures 0

Policy URI nocache 0 |Policy URI cache 0

Policy URI invalidate 0 |Content Too Big 0

Content Too Small 0 |Cache add skips 0


53

Entry create failures 0 |Double enqueues 0

Double deletes (hlist) 0 |Double deletes (list) 0

GUI Example:

Figure 35: Monitor > Service > Application > RAM Caching

Now, use your laptop’s web browser to go to your virtual server IP address and fetch the file

index.html (e.g. http://192.168.18.101/index.html )

Look at what has happened on the AX by doing a show command again as shown below


main_vip:80

---------------------------------------------------------------

Cache Hits 0 |

Cache Misses 3 |













54

Notice how there were 4 requests made in getting this page. Notice that 3 of them were

cacheable while one wasn’t. You can see that there are 3 misses and 3 objects were cached.

We can get more information on what got cached by doing the following command.

AX#show slb cache entries main_vip 80

main_vip:80

Host Object URL Bytes Status Expires in

-----------------------------------------------------------------------------------------------

192.168.18.101 /a10banner.jpg 7498 FR 989 s

192.168.18.101 /index.html 757 FR 593975 s

192.168.18.101 /index-mast-090126c.jpg 5854 FR 989 s

AX #

As you can see, the cache has 3 entries. Two of the objects are images (JPEGs) and they have

been cached for 1000 seconds. The other is the HTML file index.html and it has been cached

for 60000 seconds. Both entries are fresh (FR).

Question: What is the 4th request and why isn’t it cached?

Now, clear the cached entries from the browser by going to the appropriate menu and doing a

“Delete Browsing History” if you are using IE or the equivalent command for your browser of

choice. You will need to do this, otherwise the browser will just pick up the object from its local

cache instead of requesting it from the AX on the subsequent request.

Now make another request for the http://192.168.18.101/index.html page.

Then issue the show command shown below one more time to see what happens.


main_vip:80

---------------------------------------------------------------

Cache Hits 3 |

Cache Misses 3 |













55

As you can see, now the 3 objects were found in the cache (notice the Cache Hits). You can

also see that the 3 objects were served from the cache (notice the Bytes Served).

Changing the default behavior – Caching policies

Create a couple of caching policies to modify the default behavior by specifying the commands

shown below.

AX(config)#slb template cache ramcache

AX(config-ram caching)#policy uri /index.html cache 8000

AX(config-ram caching)#policy uri /a10banner.jpg nocache

AX (config)#exit

Your caching template will now look as shown below.

AX(config-ram caching)#show slb template cache ramcache

slb template cache ramcache

age 300

min-content-size 50

policy uri /index.html cache 8000

policy uri /a10banner.jpg nocache

Now, clear your cache entries using the command shown below.

AX# clear slb cache entries main_vip 80

Now, clear you browser cache as previously described and hit the url

http://192.168.18.101/index.html again.

AX(config-ram caching)#show slb cache entries main_vip 80

main_vip:80

Host Object URL Bytes Status Expires in

-----------------------------------------------------------------------------------------------

192.168.18.101 /index.html 781 FR 7982 s

192.168.18.101 /index-mast-090126c.jpg 15854 FR 982 s

Notice how this time only 2 objects are in the cache. Also notice how the time that /index.html is

cached is now 8000 seconds.

Lab #9– System Configuration Practice

AX(config)#sh ver

AX Series Advanced Traffic Manager AX2000


56

Copyright 2007-2009 by A10 Networks, Inc.

Advanced Core OS (ACOS) version 2.0.2, build 56 (Mar-20-2009,18:46)

Booted from hard disk secondary image

Serial Number: AX20231108040037

aFleX version: 2.0.0

Hard disk primary image version 1.2.7-p1, build 5

Hard disk secondary image (default) version 2.0.2, build 56

Compact flash primary image (default) version 1.2.1, build 259

Compact flash secondary image version 1.2.1, build 259

Last configuration saved at Apr-9-2009, 16:10

Hardware: 4 CPUs, Single 75G Hard disk

Memory 2072 Mbyte, Free Memory 837 Mbyte

Current time is Apr-12-2009, 02:33

The system has been up 0 day, 0 hour, 19 minutes

GUI Example:

Figure 36: Monitor > Overview> Summary

AX(config)#sh startup all

Current startup-config profile: anu-ssl-response-time-test

Primary startup-config profile: anu-ssl-response-time-test

Secondary startup-config profile: anu-ssl-response-time-test

Profile-Name Size Time

------------------------------------------------------------

gilbert 1819 Apr 30 19:11

steven 787 May 06 15:55

hawkins 2640 Jul 03 13:30

tim 2640 Jul 03 13:30

smartbits 955 Jul 29 12:06

kddi 8755 Sep 05 15:41


57

comcast-prom-vip 1663 Dec 16 13:56

ax2k-l2-hot-standby 10644 Sep 10 17:18

vip-failover 0 Sep 11 14:24

slb-templates 910 Sep 12 13:07

disabled 910 Sep 13 11:08

bug23859 910 Sep 16 13:01

ax2k-l2inline 11642 Nov 17 13:56

ax2k-l3inline 10527 Nov 13 15:42

AX(config)#link ?

startup-config Startup Configuration

AX(config)#link startup ?

default Default startup-config

WORD<length:1-31> Local Configuration Profile Name

AX(config)#link startup anu-ssl-response-time-test ?

cf Create link in compact flash

primary Create link in primary partition

secondary Create link in secondary partition

<cr>

AX(config)#link startup anu-ssl-response-time-test

New Profile will come into effect after next reload/reboot

AX(config)#booti ?

cf Compact flash

hd Hard disk

AX(config)#booti hd ?

pri Primary image

sec Secondary image

AX(config)#booti hd sec ?

<cr>

AX(config)#booti hd sec

Secondary image will be used if AX is booted from hard disk

AX(config)#

You will need console access for this.

Changing boot partition during bootup

While system is booting up at the BIOS, hit F2 to see boot menu. Useful if HD can not

boot and you need to boot from CF.

Manufacturing reset

• Reboot the system

• In the first 5 minutes after the system is booted up, login the system from the

console port. The user name is “reset” and the password is the serial number of

the AX system. The serial number is labeled in the back of the AX system.

Welcome to AX

AX login: reset

Password: AX22231107390014

• Answer the following questions:

- Reset the admin password to default


58

- Reset enable password to default

- Erase the startup-config

• Login as admin. Set the new password/enable-password and then save the

configuration.

AX Debugging lab

AX#sh stat

Port Good Rcv Good Sent Bcast Rcv Bcast Sent Errors

---------------------------------------------------------------------------

1 41 0 14 0 0

2 0 0 0 0 0

3 0 0 0 0 0

4 0 0 0 0 0

5 0 8720 0 8720 0

6 33463 66384 0 9149 0

7 0 0 0 0 0

9 0 0 0 0 0

10 0 0 0 0 0

GUI Example:


59

Figure 37: Monitor > Network > Interfaces

AX#sh slb switch

Total

------------------------------------------------------------------

L2 Forward 0

L3 IP Forward 0

IPv4 No Route Drop 0

L3 IPv6 Forward 0

IPv6 No Route Drop 0

L4 Process 15

Incorrect Len Drop 0

Prot Down Drop 0

Unknown Prot Drop 0

TTL Exceeded Drop 0

Link Down Drop 0

SRC Port Suppression 0

VLAN Flood 0

IP Fragment Rcvd 0

ARP REQ Rcvd 0

ARP RESP Rcvd 0

Forward Kernel 5

IP(TCP) Fragment Rcvd 0

IP Fragment Overlap 0

IP Frag Overload Drops 0

IP Fragment Reasm OKs 0

IP Fragment Reasm Fails 0

Anomaly LAN Attack Drop 0

Anomaly IP OPT Drops 0

Anomaly PingDeath Drop 0

Anomaly All Frag Drop 0


60

Anomaly TCP noFlag Drop 0

Anomaly SYN Frag Drop 0

Anomaly TCP SYNFIN Drop 0

Anomaly Any Drops 0

MTU exceeded Drops 0

BPDUs Received 0

BPDUs Sent 0

ACL Denys 0

SYN rate exceeded Drop 0

Packet Error Drops 0

GUI Example:

Figure 38: Monitor > Overview > Application > switch

AX#sh slb l4

Total

------------------------------------------------------------------

IP out noroute 0

TCP out RST 0

TCP out RST no SYN 0

TCP out RST L4 proxy 0

TCP out RST ACK attack 0

TCP out RST aFleX 0

TCP out RST stale sess 0

TCP out RST TCP proxy 0

TCP SYN received 1

TCP SYN cookie snt 1

TCP SYN cookie snt fail 0

TCP received 15

UDP received 0

Server sel failure 0


61


TCP SYN cookie failed 0

No vport drops 0

No SYN pkt drops 0

No SYN pkt drops - FIN 0

No SYN pkt drops - RST 0

No SYN pkt drops - ACK 0

Conn Limit drops 0

Conn Limit resets 0

Proxy no sock drops 0

aFleX drops 0

Session aged out 0

TCP no SLB 0

UDP no SLB 0

SSL SID persist (succ) 0

SSL SID persist (fail) 0

SYN Throttle 0

Misc Error Mask 0

Misc Errors 0

AX#sh slb http

Total

------------------------------------------------------------------

Curr Proxy Conns 0

Total Proxy Conns 1

HTTP requests 1


No proxy error 0

Client RST 0

Server RST 0

No tuple error 0

Parse req fail 0


Fwd req fail 0

Fwd req data fail 0

Req retransmit 0




Server conn made 1




AX(config)#sh runn | be slb virtual

slb virtual-server vs-ssl 20.20.5.150

port 443 https

source-nat pool natpool

service-group sg-80

template client-ssl clientssl

!

!

!


62

AX(config)#sh slb virtu vs-ssl

Virtual server: vs-ssl State: All Up IP: 20.20.5.150

Pri Port/State Curr-conn Total-conn Rx-Pkt Tx-Pkt

------------------------------------------------------------------------

Virtual Port:443 / service:sg-80 / state:All Up

port 443 https

1 ssl-server:80/Up 0 1 5 5

Source NAT Pool: natpool SSL Client Template: clientssl

AX(config)#sh slb virtu vs-ssl ?

detail Virtual server details including statistics

<1-65535> virtual port

| Output modifiers

<cr>

AX(config)#sh slb virtu vs-ssl deta

Virtual server name: vs-ssl

Virtual server IP address: 20.20.5.150

Virtual server template: default

Current connection: 0

Total connection: 1

Total forwarded byte: 478

Total forwarded packet: 5

Total received byte: 3333

Total received packet: 5

AX(config)#sh slb service-g sg-80

Service group name: sg-80 State: All Up

Service: ssl-server:80

Request packets: 5 Response packets: 5

Request bytes: 478 Response bytes: 3333

Current connections: 0 Persistent connections: 0

Total connections: 1 Response time: 0.00 msec

AX(config)#sh slb service-g sg-80 ?

WORD service group name

config Service Group configuration

| Output modifiers

<cr>

AX(config)#sh slb server ssl-server

Total Number of Services configured on Server ssl-server: 2



Service Current Total Req-pkt Resp-pkt State/Rsp Time

--------------------------------------------------------------------------------

ssl-server:443/tcp 0 0 0 0 Up 0.00 ms

ssl-server:80/tcp 0 1 5 5 Up 0.00 ms

ssl-server: Total 0 1 5 5 Up

AX(config)#sh slb server ssl-server ?

config Configuration

connection-reuse Connection Reuse Statistics

detail Server details including statistics

<1-65535> Port number

| Output modifiers

<cr>

AX(config)#sh slb server ssl-server det


63

Server name: ssl-server

Server IP address: 192.168.100.1

State: Up

Server template: default

Health check: default

Current connection: 0

Total connection: 1

Total forwarded byte: 478

Total forwarded packet: 5

Total received byte: 3333

Total received packet: 5

AX(config)#

AX#d axdebug ?

<cr>

AX#axdebug

AX(axdebug)#?

capture Dump packets

clear Clear or Reset Functions

count Maximum packets to capture. Default is 3000

delete Delete a capture file

exit Exit from axdebug mode

filter Global debug filter

incoming Incoming interface

length Packet length to capture

maxfile Maximum number of debug packet files. Default is 100

no Negate a command or set its defaults

outgoing Outgoing interface

show Show Running System Information

timeout Maximum number of minutes for a capture. Default is 5 minutes

write Write Configuration

AX(axdebug)#ccap apture ?

brief Print basic packet information

detail Include packet payload

non-display Do not print to screen

save Save packets into file

AX(axdebug)#capture bei rif ef

Wait for debug output, enter <ctrl c> to exit

i( 5, 0,1100a)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 S 974c4e:0(0)

o( 5, 0,1100a)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 SA 89571844:974c4f(0)

i( 5, 0,1100b)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974c4f:89571845(0)

i( 5, 0,1100c)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974c4f:89571845(142)

o( 5, 0,1100b)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571845:974cdd(0)

o( 5, 0,14555)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89571845:974cdd(1031)

i( 5, 0,1100d)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974cdd:89571c4c(0)

i( 5, 0,1100e)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974cdd:89571c4c(198)

o( 5, 0,1100d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c4c:974da3(0)

o( 5, 0,14554)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89571c4c:974da3(59)

i( 5, 0,1100f)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 PA 974da3:89571c87(218)

o( 5, 0,14553)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c87:974e7d(0)

o( 6, 0,14551)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 S 8cfd3ae:0(0)

i( 6, 0, 9d02)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 SA

23e4f456:8cfd3af(0)


64

o( 6, 0,14550)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A

8cfd3af:23e4f457(0)

o( 6, 0, 9d02)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 PA

8cfd3af:23e4f457(142)

i( 6, 0, 9d01)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 A

23e4f457:8cfd43d(1356)

o( 6, 0,1454f)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A

8cfd43d:23e4f9a3(0)

i( 6, 0, 9d00)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 PA

23e4f9a3:8cfd43d(1356)

o( 5, 0,1454d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 89571c87:974e7d(1368)

o( 5, 0,1454c)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 895721df:974e7d(29)

i( 6, 0, 9cff)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 PA

23e4feef:8cfd43d(353)

o( 6, 0,1454b)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A

8cfd43d:23e50050(0)

o( 5, 0,14549)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 A 895721fc:974e7d(1368)

o( 5, 0,14548)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89572754:974e7d(29)

i( 5, 0,11010)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7d:895721fc(0)

o( 5, 0,11010)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 PA 89572771:974e7d(389)

i( 5, 0,11011)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7d:89572771(0)

i( 5, 0,11012)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 FA 974e7d:895728f6(0)

o( 5, 0,11011)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 13477 FA 895728f6:974e7e(0)

o( 6, 0,14546)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 FA

8cfd43d:23e50050(0)

i( 5, 0,11013)> ip 20.20.5.42 > 20.20.5.150 tcp 13477 > 443 A 974e7e:895728f7(0)

i( 6, 0, 9cfe)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2053 FA

23e50050:8cfd43e(0)

o( 6, 0,11013)> ip 192.168.100.249 > 192.168.100.1 tcp 2053 > 80 A

8cfd43e:23e50051(0)

Dump SSL encrypted data

AX#debug packet l3 ip 20.20.5.150

AX#debug ssl

AX#debug http

AX#debug tcp

AX#show debug

debug packet is on

debug tcp-proxy is on

debug http-proxy is on

debug ssl is on

AX#debug mon

Wait for debug output, enter <ctrl c> to exit

i( 5, 0,1109d)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 S 97d96bd2:0(0)

o( 5, 0,1109d)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 SA 3dbd5544:97d96bd3(0)

i( 5, 0,1109e)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96bd3:3dbd5545(0)

(51983178) skb(0xa884f700), skb->len 66

(51983178) master sock 0xb1083b50, conn 0x80040b80, conn_tuple 0x80040b80, dir 0 (nil)

(nil)

(51983178) Create a child sock 0xb105c4d0 parent 0xb1083b50


65

(51983178) TCP Notification 0xb105c4d0 0x1

i( 5, 0,1109f)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA

97d96bd3:3dbd5545(142)

(51983178) skb(0xa884ff00), skb->len 208

o( 5, 0,1109e)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd5545:97d96c61(0)


(51983178) sending len 1031 1368 1368

o( 5, 0, 9c6b)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA

3dbd5545:97d96c61(1031)

i( 5, 0,110a0)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96c61:3dbd594c(0)

(51983179) skb(0xa8850700), skb->len 66


i( 5, 0,110a1)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA

97d96c61:3dbd594c(198)

(51983179) skb(0xa8850f00), skb->len 264

o( 5, 0,110a0)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd594c:97d96d27(0)


(51983179) sending len 59 1368 1368

o( 5, 0, 6fe4)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd594c:97d96d27(59)

(51983179) HTTP proxy process, ev 1, tup 0x80040b80, data (nil)

(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00

(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 Client connected.

i( 5, 0,110a2)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 PA

97d96d27:3dbd5987(218)

(51983179) skb(0xa8851700), skb->len 284

o( 5, 0, 6fe3)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A 3dbd5987:97d96e01(0)


=====decryption start:142=====

GET /tours/index.html HT

TP/1.0..User-Agent: Wget

/1.9+cvs-stable (Red Hat

modified)..Host: 20.20.

5.150..Accept: */*..Conn

ection: Keep-Alive....

=====decryption end=====

(51983179) HTTP proxy process, ev 2, tup 0x80040b80, data 0xa8851700


(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 client request enqueue 0xa8851700

(51983179) lb_http_proxy_inspect_client_request

(51983179) HTTP request GET /tours/index.html HTTP/1.0

(51983179) (HTTP_PROXY_CLIENT_REQUEST) 0x80040c00 request inspected, forward to

server...

(51983179) lb_http_proxy_forward_request

(51983179) New client tcp established. 0xb105c810 0x83a6898

o( 6, 0, 6fe1)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 S c0325922:0(0)

(51983179) HTTP State Change: HTTP_PROXY_CLIENT_REQUEST->HTTP_PROXY_SERVER_CONNECTING

0x80040c00

i( 6, 0, 2f14)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 SA

b9df9c26:c0325923(0)

(51983179) skb(0xa178a700), skb->len 74

o( 6, 0, 6fe0)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A

c0325923:b9df9c27(0)

(51983179) TCP Notification 0xb105c810 0x5



66

(51983179) (HTTP_PROXY_SERVER_CONNECTING) 0x80040c00

(51983179) (HTTP_PROXY_SERVER_CONNECTING) 0x80040c00 Server Connected.

(51983179) HTTP send one request, proxy 0x80040c00, 503(0)

(51983179) Forward idempotent request to server..., 0xa8851700

(51983179) sending len 142 1448 1448

o( 6, 0, 2f14)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 PA

c0325923:b9df9c27(142)

(51983179) HTTP State Change: HTTP_PROXY_SERVER_CONNECTING-

>HTTP_PROXY_SERVER_CONNECTED 0x80040c00

i( 6, 0,129b8)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 A

b9df9c27:c03259b1(1356)

(51983179) skb(0xa94dc700), skb->len 1422

o( 6, 0, 6fdf)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A

c03259b1:b9dfa173(0)


(51983179) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa94dc700

(51983179) (HTTP_PROXY_SERVER_CONNECTED) 0x80040c00

(51983179) HTTP State Change: HTTP_PROXY_SERVER_CONNECTED->HTTP_PROXY_SERVER_RESPONSE

0x80040c00

(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00

(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 server resp, http enqueue,

0xa94dc700

(51983179) Find Content-Length: 2975

(51983179) HTTP slow path, running remain_len 1709

(51983179) HTTP response, status 200

=====encryption start:1356=====

HTTP/1.1 200 OK..Content

-length: 2975..Content-T

ype: text/html..Connecti

on: Keep-Alive....<html>

..<head>..<title>Mercury

Tours</title>..<meta ht

tp-equiv="Content-Type"

content="text/html; char

set=iso-8859-1">..</head

>....<body bgcolor="#FFF

FFF" marginwidth=0 margi

nheight=0 topmargin=0 le

ftmargin=0>..<table widt

h="100%" border="0" cell

spacing="0" cellpadding=

"0">.. <tr bgcolor="#00

00CC" align="center"> ..

<td>.. <table w

idth="100%" border="0" c

ellspacing="8" cellpaddi

ng="0">.. <tr ali

gn="center"> ..

<td><img src="Merc10-de

v/images/banner_animated

.gif" width="576" height

="100"></td>.. </

tr>.. </table>..

.. </td>.. </tr>.


67

. <tr>.. <td>..

<table width="632" bord

er="0" cellspacing="0" c

ellpadding="0">..

<tr>.. <td bgc

olor="#66CCFF" width="12

5" valign="top"><img src

="Merc10-dev/images/sun_

swede.gif" alt=Sun width

=125 height=120> ..

<br clear>..

<form method=get

action=/cgi-bin/login>..

<input typ

e=hidden name=userSessio

n value=75893.0884568651

DQADHfApHDHfcDtccpfAttcf

>.. <center

>.. <tabl

e border=0 height=140>..

<tr>..

<td>

<font size=3> <b>Me

mber name</b></font> ..

<tr>..

<td>.

. <

input type=text name=use

rname value=

=====encryption end=====

(51983179) msg_complete? 0

i( 6, 0, cfc)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 PA

b9dfa173:c03259b1(1356)

(51983179) skb(0xa067e700), skb->len 1422


(51983179) sending len 1397 1368 1368

o( 5, 0, 6fdd)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A

3dbd5987:97d96e01(1368)

o( 5, 0, 6fdc)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd5edf:97d96e01(29)

(51983179) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa067e700


(51983179) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 Response from server, forward


'' size=12>..

<tr>..

<td><font size=

3> <b>Password</b><

/font> ..

<tr>..

<td>..

<input type=pas

sword name=password valu

e='' size=12>..

<tr>..


68

<td align=cen

ter>..

<input type=image na

me=login value=Login alt

=Login border=0 src='Mer

c10-dev/images/login.gif

' width=95 height=25>...

. ..

</table>..

</center>..

<p>..

<input type=h

idden name=JSFormSubmit

value='off'>..

</p>..

<p> </p>..

</form>.. <

/td>.. <td vali

gn="top">.. <

table width="507" border

="0" cellspacing="0" cel

lpadding="0">....

<tr>..

<td>..

<table width=507>

........<img src="images

/banner_merctur.jpg" wid

th=507 height=94>..<br c

lear>..<table width=507>

..<tr><td> <TR><TD>

..<blockquote><font size

=+1>....Welcome to

the Mercury Tours websi

te. To make reservation

s, please enter..your ac

count inform



i( 6, 0, cfb)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 PA

b9dfa6bf:c03259b1(353)

(51983180) skb(0xa067df00), skb->len 419

o( 6, 0, 6fdb)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A

c03259b1:b9dfa820(0)



69

(51983180) sending len 1397 1368 1368

o( 5, 0, 6fd9)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 A

3dbd5efc:97d96e01(1368)

o( 5, 0, 6fd8)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA 3dbd6454:97d96e01(29)

(51983180) HTTP proxy process, ev 2, tup 0x80040b98, data 0xa067df00


(51983180) (HTTP_PROXY_SERVER_RESPONSE) 0x80040c00 Response from server, forward


ation to the left. ..<!

-- To sign up with Mercu

ry Tours,..choose a Memb

er Name and Password, th

en click on the 'sign up

' button. -->..</font>..

</blockquote>......

</table>..

</td>..

</tr>..

</table>..

</td>.. </tr>.

. </table>.. </t

d>.. </tr>..</table>..<

/body>..</html>..



(51983180) HTTP State Change: HTTP_PROXY_SERVER_RESPONSE->HTTP_PROXY_CLIENT_REQUEST

0x80040c00

i( 5, 0,110a3)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e01:3dbd5efc(0)

(51983180) skb(0xa8851f00), skb->len 66


(51983180) sending len 389 1368 1368

o( 5, 0,110a3)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 PA

3dbd6471:97d96e01(389)

i( 5, 0,110a4)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e01:3dbd6471(0)

(51983180) skb(0xa8852700), skb->len 66


i( 5, 0,110a5)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 FA 97d96e01:3dbd65f6(0)

(51983180) skb(0xa8852f00), skb->len 66




(51983180) sk 0xb105c4d0, state 8

o( 5, 0,110a4)> ip 20.20.5.150 > 20.20.5.42 tcp 443 > 31150 FA 3dbd65f6:97d96e02(0)

(51983180) sk 0xb105c810, state 1

o( 6, 0, 6fd6)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 FA

c03259b1:b9dfa820(0)

i( 5, 0,110a6)> ip 20.20.5.42 > 20.20.5.150 tcp 31150 > 443 A 97d96e02:3dbd65f7(0)

(51983180) skb(0xa8853700), skb->len 66

(51983180) Destruction of the TCP socket 0xb105c4d0 delayed, refcnt=2

i( 6, 0, cfa)> ip 192.168.100.1 > 192.168.100.249 tcp 80 > 2094 FA

b9dfa820:c03259b2(0)

(51983180) skb(0xa067d700), skb->len 66

o( 6, 0,110a6)> ip 192.168.100.249 > 192.168.100.1 tcp 2094 > 80 A

c03259b2:b9dfa821(0)


70

(51983180) Destruction of the TCP socket 0xb105c810 delayed, refcnt=2

Things to do before calling tech support.

If problem is reproducible, then

1. Issue show tech

2. Create issue

3. Issue show tech

4. Send both show tech to [email protected]

If problem happens already and you already rebooted the system, then

1. Issue show tech

2. Issue backup log

3. Send both show tech and backup log to [email protected]

Documents

A10 AX Training Booklet 032010