Best Of
Re: Harmony Controller
Harmony Controller is installed on top of a Linux server and relies on the underlying networking configuration of that server. You would need to configure that Linux server's ethernet interface / DNS / gateway accordingly to provide Internet access.
Re: A10 network updates
At this time, ACOS does not connect to the internet directly for updates. Updates are downloaded by the user and applied through the Web GUI or from a specified remote server via CLI.
Re: Snat in NHLD with alternate server
try replacing source-nat auto with a nat pool group. ACOS will apply correct member for outbound route.
ACOS(config)# ip nat pool-group outbound-nat-group
ACOS(config-pool-group:outbound-nat-gro)# member STATIC-1
ACOS(config-pool-group:outbound-nat-gro)# member STATIC-2
slb virtual-server WCARD-VIP 0.0.0.0
port 0 tcp
no-dest-nat
service-group SG-INTERNET-TCP
pool outbound-nat-groupACOS
Re: 2 Active Link and 1 Backup Link
Within the NHLD service group configurations, configure the 2 active link members with a higher priority than the 1 backup link member. With this configuration, the backup link member should only be used if both active link members are in a down state. Example:
slb service-group outbound-tcp-links tcp member Pri-1 0 priority 10 member Pri-2 0 priority 10 member Backup 0 priority 5 ! slb service-group outbound-udp-links udp member Pri-1 0 priority 10 member Pri-2 0 priority 10 member Backup 0 priority 5
Re: Load Balancing IPSEC VPN UDP-500 & UDP-4500
Thanks Guys, your replies have led me straight to a working configuration. Following holiday / family bereavement / other work commitments we now have this up and running.
The config below is working fine, and thought I would share to say thanks and in case it helps others.
Our front end Virtual Server IP is 192.168.98.1
The two RAS servers are, 192.168.99.8 & 192.168.99.9
```
!
slb server S-MS-AoVPN-RAS1 192.168.99.8
port 500 udp
health-check-disable
port 4500 udp
health-check-disable
!
slb server S-MS-AoVPN-RAS2 192.168.99.9
port 500 udp
health-check-disable
port 4500 udp
health-check-disable
!
slb service-group SG-MS-AoVPN-UDP-4500 udp
template port template_delsessiondown
member S-MS-AoVPN-RAS1 4500
member S-MS-AoVPN-RAS2 4500
!
slb service-group SG-MS-AoVPN-UDP-500 udp
template port template_delsessiondown
member S-MS-AoVPN-RAS1 500
member S-MS-AoVPN-RAS2 500
!
slb template persist source-ip T-MS-AoVPN-SRC-IP
match-type server
!
slb template udp template_reselectifdown
re-select-if-server-down
!
slb virtual-server VS-MS-AoVPN 192.168.98.1 /32
disable-when-all-ports-down
port 500 udp
service-group SG-MS-AoVPN-UDP-500
template persist source-ip T-MS-AoVPN-SRC-IP
template udp template_reselectifdown
port 4500 udp
service-group SG-MS-AoVPN-UDP-4500
template persist source-ip T-MS-AoVPN-SRC-IP
template udp template_reselectifdown
!
```
Re: Forward Proxy + SSL Termination
Ahh okay interesting. So I managed to accomplish this with two different virtual servers. One with a client/server SSL policy + aflex rule. This handles the one domain for which we own the server-side certificate. That allows us to decrypt/reencrypt the traffic and apply the aflex rule.
The other virtual server has a policy template that permits/denies individual domains that are to be routed without decryption.
Each virtual server is front-ended with an IP ACL that steers traffic to the single website into the first virtual server, with all remaining traffic into the second.
I'll check out your suggestion, that might allow us to roll everything into a single VS. Certainly simpler!
Re: Upload SSL certs via axapi v3.0
I am using ansible with the official ansible collection from a10 https://galaxy.ansible.com/a10/acos_axapi.
A kind engineer from A10 helped us analyze this in more detail and we finally we found, that the respective module needs file
and file_handle
being the same.
This looks like this then:
- name: "Configure SSL Certificate" a10.acos_axapi.a10_file_ssl_cert: state: present action: import certificate_type: pem file: "test-cert-2023" file_handle: "test-cert-2023" file_path: "/tmp/netlb-certs/sometest.pem"
file_handle
usually should be the name of the uploaded (source) file. But the ansible module sets the source file name in the POST to be the value of the file
attribute here.
Re: GSLB ZONE AS A RECORD
You can create a service without a name. From CLI, do not enter a service name after the port, and from the GUI, do not enter a service name in the text field. This will create a FQDN for the gslb zone name.
CLI:
gslb zone gslb.dunnlab.com service 443 dns-a-record web2 ttl 0 static
GUI:
- GSLB > FQDNS > Create
- Select Existing Zone. Leave Service field empty. Enter Port #. Create.
- Edit the new FQDN. Create Service A Record. Update FQDN
Hope this helps!
Re: Error with Partitions using ansible: 1023721472 Access Denied
The username that you use must have read/write rights to the partition that you want to configure. This error happens if the user does not have the correct rights to the partition.
How to use the a10.acos_axapi.a10_file_aflex module in Ansible
Hello,
I am trying to deploy aflex scripts to an a10 load balancer in Ansible with the a10_file_aflex python module in the a10.acos_axapi Ansible collection. However, everytime I run my script, there are some weird errors that appear about the syntax of the structure of my ansible task and some mistakes of the aflex script. The documentation on how to structure the data (which fields must be defined) in order for the a10 load balancer to accept it is not clear. I would really appreciate if someone could guide on how to send these aflex scripts to the a10 with the a10_file_aflex ansible module. Thank you.