Best Of
Re: Cookie Persistance
Generally speaking, native configurations are always preferred over Aflex. Native configurations are simpler to manage and ease operations, but also require less CPU processing on the A10. In some situations, Aflex scripts are used before native features are implemented into the code base. Once the feature is built, migration from Aflex to native commands can take place.
Re: Error HTTP 431
The maximum HTTP header size should be 64KB. If the header length is exceeded, a Warning log should generate similar to "Warning [ACOS]:HTTP header (len=108) "" is too long"
Re: Error HTTP 431
Alfredo,
I realize this is in Azure, but would it be possible to use a client to send a request directly to the backend server (circumvent the load balancer) and see if you get the same HTTP 431 error? This would help narrow down if the load balancer is at fault, or the server is at fault.
How big are the headers you are sending to the VIP on the load balancer?
Thank you.
Re: session log is show reserve source and destination is ip 0.0.0.0 and client is not use web http
This may suggest that the session between the A10 and the Real Server cannot be establish. I would check the following:
- service-group configuration on the virtual server and that at least 1 service-group member is in UP status
- connectivity from A10 to the real server's TCP Port
- Whether or not Source NAT is required on the virtual server. If SNAT is not configured, A10 needs to be in the path between real server and client such as the A10 configured as default gateway for the real server.
After that, a packet capture (axdebug) may be necessary to observe the traffic.
Re: Internet Access
Lynda - I'm not sure we have enough information to assist. Where are your ADCs installed? On prem, cloud? Have you worked with your internal network team to validate this information?
To further assist, you can work with your local account team and discuss Professional Services options that will work with you on the deployment of the devices and ensure they are set up and fully utilized as you need.
Re: Harmony Controller
Harmony Controller is installed on top of a Linux server and relies on the underlying networking configuration of that server. You would need to configure that Linux server's ethernet interface / DNS / gateway accordingly to provide Internet access.
Re: A10 network updates
At this time, ACOS does not connect to the internet directly for updates. Updates are downloaded by the user and applied through the Web GUI or from a specified remote server via CLI.
Re: Snat in NHLD with alternate server
try replacing source-nat auto with a nat pool group. ACOS will apply correct member for outbound route.
ACOS(config)# ip nat pool-group outbound-nat-group
ACOS(config-pool-group:outbound-nat-gro)# member STATIC-1
ACOS(config-pool-group:outbound-nat-gro)# member STATIC-2
slb virtual-server WCARD-VIP 0.0.0.0
port 0 tcp
no-dest-nat
service-group SG-INTERNET-TCP
pool outbound-nat-groupACOS
Re: 2 Active Link and 1 Backup Link
Within the NHLD service group configurations, configure the 2 active link members with a higher priority than the 1 backup link member. With this configuration, the backup link member should only be used if both active link members are in a down state. Example:
slb service-group outbound-tcp-links tcp member Pri-1 0 priority 10 member Pri-2 0 priority 10 member Backup 0 priority 5 ! slb service-group outbound-udp-links udp member Pri-1 0 priority 10 member Pri-2 0 priority 10 member Backup 0 priority 5
Re: Load Balancing IPSEC VPN UDP-500 & UDP-4500
Thanks Guys, your replies have led me straight to a working configuration. Following holiday / family bereavement / other work commitments we now have this up and running.
The config below is working fine, and thought I would share to say thanks and in case it helps others.
Our front end Virtual Server IP is 192.168.98.1
The two RAS servers are, 192.168.99.8 & 192.168.99.9
```
!
slb server S-MS-AoVPN-RAS1 192.168.99.8
port 500 udp
health-check-disable
port 4500 udp
health-check-disable
!
slb server S-MS-AoVPN-RAS2 192.168.99.9
port 500 udp
health-check-disable
port 4500 udp
health-check-disable
!
slb service-group SG-MS-AoVPN-UDP-4500 udp
template port template_delsessiondown
member S-MS-AoVPN-RAS1 4500
member S-MS-AoVPN-RAS2 4500
!
slb service-group SG-MS-AoVPN-UDP-500 udp
template port template_delsessiondown
member S-MS-AoVPN-RAS1 500
member S-MS-AoVPN-RAS2 500
!
slb template persist source-ip T-MS-AoVPN-SRC-IP
match-type server
!
slb template udp template_reselectifdown
re-select-if-server-down
!
slb virtual-server VS-MS-AoVPN 192.168.98.1 /32
disable-when-all-ports-down
port 500 udp
service-group SG-MS-AoVPN-UDP-500
template persist source-ip T-MS-AoVPN-SRC-IP
template udp template_reselectifdown
port 4500 udp
service-group SG-MS-AoVPN-UDP-4500
template persist source-ip T-MS-AoVPN-SRC-IP
template udp template_reselectifdown
!
```