-
Geo-Location db
I am looking to start using geo-location with our GSLB config. The pre-loaded IANA db doesn't seem very specific within a country - or maybe I'm just reading things wrong. A problem I also see with this is that our physically diverse locations both show under the same net range in ARIN; since iana doesn't I can't assign…
-
AX Series Inbound Link Loadbalance Tutorial
Dear All: Where can I find the document about AX Series Inbound Link Loadbalance Sample config or tutorial~thks
-
VIPs and routed solutions
Looking for the pros and cons of where VIPs are defined. In a layer 3 setup a VIP can be either 'in front' of the AX (in network x) or defined 'behind' the AX in the same network as the real servers (network z). What's the recommended best practice and or under what situations would you use the alternative (your not best…
-
vThunder 30 days trial - default login/pass not working
Hi All, I got the 30 days trial version pf vThunder virtual appliance and i get the login prompt but the default admin password is not working. Both CLI (SSH/console) and web GUI is not accepting the default password. Any idea guys ? error msg -- Jan 31 2014 09:52:29 vThunder a10logd: [SYSTEM] The user, admin, from the…
-
Moving config to new context
I installed a new AX1030 and have completed the configuration but now we have decided to put that config into another context. so how do I move a config file from one context to another.
-
Determine Source IP and Port
I am totally new to aFlex so naturally, am totally lost. I have a VIP that I want to capture the sources IP and Port number. I have some success with the following: when HTTP_REQUEST { HTTP::header insert "X-Forwarded-For" [IP::client_addr] } This gives me the IP but only if it is http, not https (http_request error).…
-
MS Dynamics CRM 2011
Good Morning, Just starting with putting an Dynamics CRM 2011 installation behind our AXs. Had a look and can't see any specific documentation on A10s site, and was wondering if anyone else has done this before and got any pointers or gotchas they'd like to share. Cheers Stuart
-
traceroute error
I login to AX1000 console. And then, I traceroute 8.8.8.8 But, reply to me : AX1000-11#traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 40 byte packets 1 google-public-dns-a.google.com (8.8.8.8) 6.098 ms 6.022 ms 6.012 ms 2 google-public-dns-a.google.com (8.8.8.8) 2.015 ms 1.959 ms 1.950 ms 3…
-
F5 Config Migration Check and Help Needed
I got a orphan F5 require migration where encounter intermittent on services, the weird part is we are unsure of the services method; As from F5 we see the following which is unsure what it used for an require assistant to understand; - Listerner 10.160.1.42 -> What the used of this Listerner? - Default route used Router…
-
Service group description using aXAPI
How can I specify a description when creating a service group using the aXAPI (REST API)? I tried specifying it under key 'description', but the created service group does not have the description. Also aXAPI does not show the description of a service group created with using the Web GUI. I also want to edit service group…
-
Sticky sessions cookie issue
Hello I have an issue with sticky sessions, currently we're using a cookie set by the AX on http-request, the issue I have (it's a webshop) is that upon checkout, the store switches from http to https and thus we get a new cookie and there's a high probability that the shopping cart is lost due to server switch. This is…
-
Passing Multicast Traffic
Does anyone have any experience passing multicast traffic through an A10? I need to establish PIM neighbor relationships and subsequently pass native multicast traffic through the device. Any help would be appreciated. My SE told me the devices don't participate, but that it's possible to pass the traffic through. He's…
-
Remove Header
I'd like to remove just the Negotiate from a WWW-Authenticate header, anyone have a suggest for how to accomplish this? I'm SSL offloading a website that is offering up Basic, Negotiate and NTLM in the Auth header. I'd like to remove just the negotiate if that possible such that the client doesn't try to use the Negotiate.…
-
SMTP Virtual Service...need to see clients IP
Hi. I have SMTP load balanced as part of an Exchange 2007 cluster. I am using one-arm mode for my AX devices, so am also using Source NAT on the service. Am also restricting access to the SMTP relay on the Exchange servers (not on AX's) by IP Address. Unfortunately when I send a message using SMTP the Exchange servers see…
-
Secure and HttpOnly Cookies
Below is a script to allow a general way to Secure and HttpOnly cookies. It looks at the incoming port and sets Secure & HttpOnly when it's 443 and HttpOnly when it's 80. ################################################### Secure and HttpOnly Cookies# (c) A10 Networks -- MP# v1…
-
Load balancing problem
i'm facing a problem with AX1030 as it only redirect the traffic to only one server and not redirect any traffic for the other server. Top logy: 2*AX1030 connected to two servers in routed mode
-
Supporting multiple services selective client-ssl and server-ssl w/ single VIP
We have a need to support numerous services behind a single VIP. URL switching makes this fairly easy, however some sites use client-ssl, and other sites use client & server-ssl. What would an effective AFLEX look like to support this SSL-template selection based on specific header content?
-
Supporting two services on same VIP and Host Port
Hello, I have a server running two web based services, both on port 443. I'm using host headers to differentiate between the two. We have a need to add a second server for redundancy purposes. I'm curious which of the following (or some other I'm not thinking of?) method would be better: A) Have both URLs go to one A10 VIP…
-
Multiple health-checks, compound with priority?
I would like to set up health-checks for several URLs per real-server, and I understand I can do this with compound checks. However, if one of the URLs fails on all real servers I don't want the entire website to go down. Is there some way to get one health-check per URL, and if one URL fails you lower the priority on the…
-
Routing in one-arm mode?
Hi folks. I have a couple of AX3200s in HA active-passive mode, with several partitions. In one partition "test" I want it to have a connection to two different VLANs - EG. VLAN1 10.0.1.0 and VLAN2 10.0.2.0. I added a default route for 0.0.0.0/0.0.0.0 to VLAN1 gateway 10.0.1.1. Should I add other specific routes for both…
-
Clearing sessions
Does anybody know how to clear sessions for a specific port on a server with in a service group?
-
CPU Monitoring with Collectd
Here is my collectd cfg to get cpu data of an ax. You can use it to graph it with graphite. my_types.db: a10_cpu lambda:GAUGE:0:100 a10-snmp.conf: # A10 CPU SNMP Checks # Type "cpu" Table false Instance "mgmt" Values "iso.3.6.1.4.1.22610.2.4.1.3.6.1.3.0.5" Type "cpu" Table false Instance "data_1" Values…
-
Inserting the client certificate in a header
When you need the client certificate on the real server: when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] session add ssl [SSL::sessionid] $cert}when HTTP_REQUEST { set cert [session lookup ssl [SSL::sessionid]] regsub -all {([\\-]+(BEGIN|END) CERTIFICATE[\\-]+)|\n} [X509::whole $cert] {} chdr HTTP::header insert…
-
Certificate Selection with Class-List (Alternative to SNI)
Server Name Indication is a feature in 2.7 that allows you to simplify your config by defining only one HTTPS VIP, but serving multiple certificates for different domains from this same VIP address. SNI is not supported on older browsers however. An alternative to using SNI is to use multi-domain certificates, which have…
-
Sorry page based on number of users
In 2.7.0-P1 a new command has been introduced to aFleX persist size uie [global] If global is specified, the number of persistent entries in the entire partition is returned. This means you can for example generate a sorry page based on the max number of active users you want to allow. For example: when HTTP_REQUEST { set…
-
Generating an empty gif
When you have a need for an empty gif to be generated. Unfortunately I am not able to post the actual code, but you can find it here: http://high5.nl/paste/view/93274853
-
Block DNS queries with class-list
When you want to reject or drop queries to a certain domain. The class-list: class-list cl-dns string str .example.tld dropstr .example2.tld drop! The aFleX: when DNS_REQUEST {if {!([DNS::question name] equals ".")} { set fqdn .[DNS::question name]}if { [CLASS::match $fqdn ends_with cl-dns] } { drop log local0.INFO…
-
Form Authentication with class-lists
If you want to use aFleX for Authentication and have an external store for users. class-list passwords string str user1 d154c51df37bd33b29cec5aa51efd29f5a6a6f1e! when RULE_INIT { set ::AUTHENTICATED "no" set ::FORM_CONTENT "AuthenticationPlease AuthenticateUsername:Password: "}when HTTP_REQUEST { set client_ip…
-
Drop certain DNS queries (ANY and RD)
When you don't want to allow certain DNS queries to be send to the DNS server. when RULE_INIT { set ::DEBUG 0}when DNS_REQUEST { if { $::DEBUG == 1 } { log "Question: name: [DNS::question name] - type: [DNS::question type] - Query ID: [DNS::header id] - RD: [DNS::header rd]" } if { [DNS::question type] eq "ANY" } { if {…
-
Basic HTTP Authentication w/ class-list
################################################# # # aFleX script to provide Basic HTTP Authentication # without the need for an external database. # # The class-list for authentication is called # "cl-passwords" (default) of type "string" and has # to contain the following data: # str # # For example: # str user1…