Changes to Default Behavior

This chapter highlights the major changes to default or existing behavior in the ACOS 4.x releases as compared to earlier releases.

     Default Behavior Changes from Previous Releases to ACOS 4.1.0-P3

     Default Behavior Changes Between ACOS 4.1.0 and ACOS 4.1.0-P2

     Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0

     Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1

     Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases

Default Behavior Changes from Previous Releases to ACOS 4.1.0-P3

This section contains the following changes between ACOS release 4.1.0-P3 and earlier 2.7.2.x and 4.x releases.

The following topics are covered:

     Default TLS Version and Behavioral Changes for Server SSL

Default TLS Version and Behavioral Changes for Server SSL

The default TLS version for the SSL session with the Internet server is set to 1.0 in release 4.1.0 and changed to 1.2 in release 4.1.0-P3. The TLS version in TLS handshake is to communicate to the server the highest TLS version that can be supported.

The version command behavior, when configuring a server SSL SLB template has also changed regarding downgrades from 4.1.0 to 4.1.0-P3.

TABLE 1    lists the default TLS version for Server SSL Handshake and the associated SSL version numbers for corresponding ACOS releases and behavioral changes to the version command.

TABLE 1       TLS Version Chart

ACOS Release

Default TLS version

Minimum Downgrade Version

Behavior Description

2.7.2-x

1.2

1.0

The version command in server-SSL template configuration is only used for normal SSL offload and has no effect on SSLi.

4.0-x

4.0.1-x

4.0.3-x

4.1.0

1.0

1.0

The version command in the server-SSL template is also used for SSLi. The downgrade must be explicitly configured for a downgrade to occur.

In the following example, no downgrade will occur, and only TLS 1.2 is allowed:

ACOS(config)#slb template server-ssl sssl

ACOS(config-server ssl)#version 33

To allow a downgrade to a different version, specify a minimum down­grade version. In this example, TLS version 1.0 is the minimum allowable version that can be used to communicate with the server:

ACOS(config-server ssl)#version 33 31

In SSLi configurations, the version configured on the server-SSL template must match the forward-proxy-ssl-version configured on the cli­ent-SSL template. For example, in the client-SSL template:

ACOS(config)#slb template client-ssl cssl

ACOS(config-client ssl)#forward-proxy-ssl-version 33

4.1.0-P1

4.1.0-P2

4.1.0-P3

1.2

1.0

The behavior of the version command is changed so that a downgrade to the default downgrade version can occur even if not specified.

The following configurations would have the same behavior; TLS version 1.0 is the minimum allowable version that can be used:

ACOS(config)#slb template server-ssl sssl

ACOS(config-server ssl)#version 33 31

 

ACOS(config)#slb template server-ssl sssl

ACOS(config-server ssl)#version 33

To disable downgrading, you must set the version and the minimum downgrade version to be the same:

ACOS(config)#slb template server-ssl sssl

ACOS(config-server ssl)#version 33 33

As is the case with Release 4.1.0, 4.1.0-P1, and 4.1.0-P2, in SSLi configura­tions, the version configured on the server-SSL template must match the forward-proxy-ssl-version configured on the client-SSL template.

For more information, refer to the “version” command in the “Config Commands: SLB Server SSL Templates” chapter in the Command Line Interface Reference for ADC.

Default Behavior Changes Between ACOS 4.1.0 and ACOS 4.1.0-P2

This section contains the following changes between ACOS release 4.1.0-P2 and earlier 4.x releases.

The following topics are covered:

     TCP Proxy Retransmission Retries Default Changed

     Default Value Changed for receive-buffer and transmit-buffer in TCP-Proxy Template

TCP Proxy Retransmission Retries Default Changed

In release 4.1.0-P2, the default value for TCP Proxy retransmission retries was changed from 3 to 5.

For more information, see “slb template tcp-proxy” in the Command Line Interface Reference for ADC.

Default Value Changed for receive-buffer and transmit-buffer in TCP-Proxy Template

In release 4.1.0-P2, the default value for the receive-buffer and transmit-buffer commands under SLB TCP-Proxy template configuration was changed from 50KB (51200 bytes) to 200KB (204800 bytes).

For more information, see “slb template tcp-proxy” in the Command Line Interface Reference for ADC.

Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0

This section contains CLI changes between ACOS release 4.1.0 and 4.0.1.

The following topics are covered:

     Spaces in VIP Names are Not Supported

     Viewing the Active Device Statistics in aVCS Configurations

     SNMP CLI Changes

     Show class-list command Change

     Initial TCP Congestion Window

     dns-cache-enable round-robin command Change

     Deprecated CLI Commands

     Enhanced Black/White List Error Parsing Behavior

     Webroot and ThreatSTOP Licensing Behavior

     Changes to Formatting of NetFlow Records for Long-Lived Sessions

 

Spaces in VIP Names are Not Supported

Release 4.1.0 no longer supports spaces or special characters in VIP names.

If you have spaces or special characters in your VIP names, you should rename them appropriately before upgrading to release 4.1.0.

Viewing the Active Device Statistics in aVCS Configurations

The active-vrid option is no longer supported and has been removed from all show commands in the CLI.

SNMP CLI Changes

The following SNPM CLI commands are deprecated:

     snmp-server community read

     snmp-server user

These CLI commands are not removed from the CLI for backwards-compatibility purposes, but if you attempt to use them in release 4.1.0 the CLI will return an error message.

For information about the new CLI commands and SNMP community string and user configuration, see the “Simple Network Management Protocol (SNMP)” chapter in the System Configuration and Administration Guide.

Show class-list command Change

In ACOS 4.1.0, the following usage guideline is added to the show class-list command:

Usage                                                                  For Aho-Corasick (AC) class lists, enter the write memory command immediately before entering show class-list.

Initial TCP Congestion Window

In release 4.1.0, the default values for initial TCP congestion window (init-cwnd, configured under SLB TCP proxy template) are changed as follows:

     Default is 10 segments (previous was 4)

     Configurable range is 1-15 (previous was 1-10)

dns-cache-enable round-robin command Change

When using the dns-cache-enable round-robin command, the DNS transaction ID (which is random) is now used to assist in the round-robin. This behavior is better for heavy traffic, but the side effect is that it will not strictly follow the round-robin.”

Deprecated CLI Commands

The following options are deprecated under aam authentication portal default-portal:

     reset-change-password

     reset-logon

     reset-logon-fail

Enhanced Black/White List Error Parsing Behavior

In release 4.1.0, errors in a Black/White list entry cause the entire entry to be completely ignored; traffic is neither dropped nor allowed because of any errors.

The error is still logged in the same manner as in all previous releases.

Webroot and ThreatSTOP Licensing Behavior

In release 4.1.0, a new licensing scheme is in effect with regard to Webroot and ThreatSTOP. Things to note about the licens­ing behavior:

     If you have network access during system set-up, the ACOS device will communicate with the Global Licensing Man­ager to verify your licensing status once you use the glm enable-requests command. If you do not have network connectivity, then you will have to import the license manually and start a new CLI session. See glm enable-requests, import glm-license, and show license-info in the Command Line Interface Reference for further info about managing your license.

     The show license-info command will show the expiry date of none or N/A for Webroot and ThreatSTOP. How­ever, an additional Webroot or ThreatSTOP license is required for usage.

See the Global License Manager User Guide for further info about obtaining and managing your license.

Changes to Formatting of NetFlow Records for Long-Lived Sessions

In release 4.1.0, there is a change in the formatting of the “start time” and “duration” fields in NetFlow records for long-lived sessions (typically defined as those lasting more than 10 minutes).

For each new NetFlow record created for a session on the ACOS device, the NetFlow record will show the time that the ses­sion began as the start time. Therefore, NetFlow records sent out for different sessions will have different start times.

However, for long-lived sessions (for example, 15 minutes), if the flow-timeout period is set to 5 minutes, then ACOS will pro­duce three flow records for one 15-minute session. The three flow records will each have the same start time, because the records are reporting on the same session.

In previous releases, the NetFlow records would erroneously reset the start time to the time at which the previous NetFlow record was exported. This behavior was incorrect, because instead of having three records with the same start time, there were three records that had incrementally larger start times, even though they were for the same session.

Below we show sample records using the old (incorrect) approach, as well as a sample of records using the new approach.

Samples NetFlow records using old formatting approach:

Duration: 318.000000000 seconds (5:18)
StartTime: Feb  2, 2015 12:35:52.341000000 Russia TZ 2 Standard Time
Note that the duration plus the StartTime is equal to 12:41:10.341 (this became the new start time for the next record)

Duration: 356.964000000 seconds (5:56.964)
StartTime: Feb  2, 2015 12:41:10.341000000 Russia TZ 2 Standard Time
Note that the duration plus the StartTime is equal to 12:47:7.305 (this became the new start time for the next record)

Duration: 356.960000000 seconds
StartTime: Feb  2, 2015 12:47:07.305000000 Russia TZ 2 Standard Time (and so on...)

Samples NetFlow records using new formatting approach:

Duration: 318.000000000 seconds
StartTime: Feb  2, 2015 12:35:52.341000000 Russia TZ 2 Standard Time

Duration: 674.964000000 seconds
StartTime: Feb  2, 2015 12:35:52.341000000 Russia TZ 2 Standard Time

Duration: 1031.924000000 seconds
StartTime: Feb  2, 2015 12:35:52.341000000 Russia TZ 2 Standard Time

NOTE:                               Instead of resetting the start time to the time at which the most recent NetFlow record was exported, the start time remains the same for all three records for this session. In addition, the duration is not reset to zero, but it is incrementally larger for each record, because more time has elapsed since the first, second, and third records were sent.

The benefit of this new approach to formatting the session “start time” and “duration” fields in the NetFlow records is that the new approach essentially joins the records into a single session that can be more easily stored and searched in a database.

The following types of records are impacted by this change in behavior:

     dslite – DS-Lite Flow Record Template

     nat44 – NAT44 Flow Record Template

     nat64 – NAT64 Flow Record Template

     netflow-v5 – NetFlow V5 Flow Record Template

     netflow-v5-ext – Extended NetFlow V5 Flow Record Template, supports ipv6

For more information about configuring NetFlow, see the “NetFlow v9 and v10(IPFIX)” chapter in the System Configuration and Administration Guide.

Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1

This section contains CLI changes between ACOS release 4.0 and 4.0.1.

The following topics are covered:

     AAM SSL Client Certificate Authentication via LDAP

     VRRP-A CLI Changes

     Overlay CLI Changes

     CGNv6 DDoS IP Anomaly Checks

 

AAM SSL Client Certificate Authentication via LDAP

In release 4.0, the ACOS device extracts the content in subject-alt-name-othername from the client certificate to use for LDAP authentication.

In release 4.0.1, the default is changed so that the ACOS device uses the virtual port’s client SSL template configuration.

ACOS-Active(config)#slb template client-ssl client-ssl

ACOS-Active(config-client ssl)#auth-username ?

 common-name                 Certificate subject common name

 subject-alt-name-email      Subject Alternative Name - extension email

 subject-alt-name-othername  Subject Alternative Name - other name

 

The default content extracted is common-name, but this may be configured to suit your specific needs for LDAP authentica­tion. For more information about these options, refer to the slb template client-ssl command in the Command Line Interface Reference.

 

 

 

VRRP-A CLI Changes

This section describes the following VRRP-A CLI changes in release 4.0.1:

     Disable VRRP-A

     Force-Self-Standby

     Persistent Force-Self-Standby

     VRID Fail-Over Policy Template

     VRID Priority

     VRID Tracking Options

 

Disable VRRP-A

ACOS 4.0 configuration

no enable

 

ACOS 4.0.1 configuration:

disable

 

Force-Self-Standby

ACOS 4.0 configuration

vrrp-a common

  vrrp-a force-self-standby

ACOS 4.0.1 configuration:

vrrp-a force-self-standby vrid 3

 

Persistent Force-Self-Standby

ACOS 4.0 configuration

vrrp-a common

  vrrp-a force-self-standby vrid 3 persistent

ACOS 4.0.1 configuration:

vrrp-a force-self-standby-persistent vrid 3

 

VRID Fail-Over Policy Template

ACOS 4.0 configuration

vrrp-a vrid 0

  fail-over-policy-template template1

ACOS 4.0.1 configuration:

vrrp-a vrid 0

  blade-parameters

    fail-over-policy-template template1

 

VRID Priority

ACOS 4.0 configuration

vrrp-a vrid 0

  priority 200

ACOS 4.0.1 configuration:

vrrp-a vrid 0

  blade-parameters

    priority 200

 

VRID Tracking Options

ACOS 4.0 configuration

vrrp-a vrid 0

  tracking-options

    ...

ACOS 4.0.1 configuration:

vrrp-a vrid 0

  blade-parameters

    tracking-options

      ...

 

 

Overlay CLI Changes

Show Overlay Configuration

ACOS 4.0 command:

show overlay-tunnel

ACOS 4.0.1 command:

show running-config overlay-tunnel

CGNv6 DDoS IP Anomaly Checks

The following CGNv6 DDoS IP Anomaly checks have been removed from FPGA platforms in ACOS 4.0.1:

     Bad IP Flags

     UDP Port Loopback

     UDP Kerberos Frag

     IPv4 Options

These checks remain applicable on non-FPGA platforms. The full list, including these checks, can be found in the IPv6 Transi­tions Solution Guide.

 

Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases

This section contains the following:

     Default Behavior of Layer 2 Handling on the Default VLAN

     Default Behaviors for Private Partitions

     Configuring High Availability

     Admin Roles

     End-User Scripts Must Add Delay for SLB Policy Templates

     Interfaces are Disabled by Default

     Confirming Hardware-Based Compression Support

     TLS version support in the Server SSL template

 

Default Behavior of Layer 2 Handling on the Default VLAN

For a system configured in gateway mode or a system without any IP address, Layer 2 MAC learning and Layer 2 forwarding are disabled on the default VLAN (VLAN=1). In transparent mode, Layer 2 MAC learning and Layer 2 forwarding are enabled on the default VLAN.

Layer 2 MAC Learning and Layer 2 forwarding on the default VLAN may be enabled by using the vlan-global enable-def-vlan-l2-forwarding command under global configuration mode.

NOTE:                               It is recommended that Static MACs should not be configured in the default VLAN in gateway or no-IP address mode, since Layer 2 MAC learning and Layer 2 forwarding is disabled by default in these modes. If you need to use static MACs in the default VLAN, enable forwarding on the default VLAN using the vlan-global enable-def-vlan-l2-forwarding command under config mode.

 

Default Behaviors for Private Partitions

This section contains the following topics:

     Only L3V Partitions are Supported

     Partition IDs are Mandatory

     Unloading and Deleting a Partition

     New show Commands in the CLI

     Partitions are SLB or CGN-Specific

Only L3V Partitions are Supported

The only type of partition that can be created in ACOS 4.x is an L3V partition; legacy RBA partitions are no longer supported. For more information, see “Understanding L3V Partitions” in the Configuring Application Delivery Partitions guide.

A new implementation of RBA, called Role-Based Access Control, is introduced in this release. This features enables the cre­ation of multiple users, groups, and roles with varying degrees of permissions. For more information, see “Role-Based Access Control” in the Management Access and Security Guide.

Partition IDs are Mandatory

When configuring an L3V partition, specifying a partition ID is now mandatory. In addition, the partition ID is mapped to the L3V partition and remains unique in the system. If a partition “CorpA” has been configured with ID 1, then ID 1 cannot be re-used by another partition on the system.

For more information, see “L3V Partition Configuration” in the Configuring Application Delivery Partitions guide.

Unloading and Deleting a Partition

The no form of the partition command unloads a configuration profile from the system; in order to permanently delete a partition, you must use the delete partition command.

For more information, see “Understanding L3V Partition Profiles” in the Configuring Application Delivery Partitions guide.

New show Commands in the CLI

The show partition command is enhanced to provide options for viewing inactive partitions, available IDs for partition configuration, and port usage for partitions.

For more information, see “show partition” in the Configuring Application Delivery Partitions guide.

Partitions are SLB or CGN-Specific

ACOS 4.x supports both SLB and CGN features, but only one can be enabled in each partition. SLB and CGN features cannot be run together in the same partition.

For more information, see “Enabling SLB or CGN in Partition” in the Configuring Application Delivery Partitions guide.

Configuring High Availability

Only VRRP-A high availability is supported in ACOS 4.x releases; the legacy High Availability (HA) configuration is no longer supported. For more information, see the Configuring VRRP-A High Availability guide:

 

Admin Roles

The ACOS 4.x releases support only 5 admin roles, compared to 12 from previous releases. TABLE 2    summarizes this informa­tion:

TABLE 2       Admin Role Comparison

Admin Role

Supported in Legacy Releases?

Supported in 4.x Releases?

ReadOnlyAdmin

Yes

Yes

ReadWriteAdmin

Yes

Yes

SystemAdmin

Yes

No

NetworkAdmin

Yes

No

NetworkOperator

Yes

No

SlbServiceAdmin

Yes

No

SlbServiceOperator

Yes

No

PartitionReadWrite

Yes

Yes

PartitionNetworkOperator

Yes

No

PartitionSlbServiceAdmin

Yes

No

PartitionSlbServiceOperator

Yes

Yes

PartitionReadOnly

Yes

Yes

 

End-User Scripts Must Add Delay for SLB Policy Templates

For end-user scripts that perform simultaneous update, deletion, or re-creation of the following:

     SLB policy templates

     Binding of an SLB policy template to a virtual port

     Binding of SLB policy template to system

     Binding of SLB policy template to virtual server

     Modifying fields of an already bound policy template.

The script must be modified to include a delay of a few seconds between actions.

In previous releases, ACOS automatically re-tried the action after two seconds; this is no longer the case in 4.0.

 

Interfaces are Disabled by Default

In ACOS 4.x releases, the output of the show running-config command does not show “disable” for disabled interfaces.

In the legacy 2.x releases, the following section of show running-config output would indicate that interface ethernet 5 is enabled and ethernet 6 is disabled:

interface ethernet 5

 trunk-group 1

!

interface ethernet 6

 disable

 trunk-group 1

!

In the ACOS 4.x CLI, the same configuration would be shown as follows:

interface ethernet 5

  enable

 trunk-group 1

!

interface ethernet 6

 trunk-group 1

!

The “non-default” state of enabled is explicitly shown, while the “default” state of disabled is not shown.

Confirming Hardware-Based Compression Support

The show hardware command can be used to confirm is your device supports hardware-based compression:

ACOS# show hardware

AX Series Advanced Traffic Manager AX3400

     Serial No : AX34051112300079

     CPU       : Intel(R) Xeon(R) CPU

                 12 cores

                 2  stepping

     Storage   : Single 74G drive

     Memory    : Total System Memory 24738 Mbyte, Free Memory 10163 Mbyte

     SMBIOS    : Build Version: 080016

                 Release Date: 06/15/2012

     SSL Cards : 1 device(s) present

                 1 Nitrox PX

     GZIP      : 0 compression device(s) present

     FPGA      : 4 instance(s) present

                 Date : 12172013

     L2/3 ASIC : 1 device(s) present

      Ports     : 28

 

In ACOS 2.x releases, the “GZIP” field is always present in the output and will show whether or not a hardware-based com­pression module is installed on your device; a “0” in this field means that hardware-based compression is not supported.

In ACOS 4. releases, this field will only appear if a GZIP module is installed on the device.

TLS version support in the Server SSL template

The forward-proxy-enable command in the SLB server-SSL template mode used TLS version 1.2 when initiating a TLS session with a server. In Release 4.1.0-P3, with the forward-proxy-enable command you can now configure the TLS ver­sion to be used instead.

The TLS version in TLS handshake is to communicate to the server the highest version that is supported.

 

 

Table of Contents

Index

Glossary

-Search-

Back