Command Line Interface Reference Guide > The SLB Configuration Menu
/cfg/slb/virt <server id>/service/basic-slb
Virtual Server Basic SLB Service Configuration Menu
 
[Virtual Server 22 66 basic-slb Service Menu]
name - Set descriptive virtual service name
    appshape - AppShape++ Menu
tcpopt - TCP Optimization Menu
connmgt - Set connection management for Basic-Slb traffic
protocol - Set protocol for this virtual service (TCP/UDP)
pip - Proxy IP Menu
ssl - SSL Load Balancing Menu
group - Set real server group number
rport - Set real port
hname - Set hostname
cont - Set BW contract for this virtual service
pbind - Set persistent binding type
thash - Set hash parameter
report - Set report granularity level
tmout - Set minutes inactive connection remains open
ptmout - Set in minutes for inactive persistent connection
clsaging – Set close connection on aging treatment
 clfstage – Set close connection on fastaging treatment
dbind - Enable/disable/forceproxy delayed binding
clsrst - Enable/disable send RST on connection close
frag - Enable/disable remapping UDP server fragments
nonat - Enable/disable only substituting MAC addresses
direct - Enable/disable direct access mode
mirror - Enable/disable session mirroring
winsize0 - Enable/disable using window size zero in SYN+ACK
sesslog - Enable/disable session logging
eaaf     - Enable/disable ERT Active Attackers Feed service
udpage - Enable/disable fast aging of UDP sessions
cluster - Enable/disable updates to cluster frontend
applic - Set virtual service applic name
rtsrctun - Enable/disable return to source tunnel
adv - Service Report Menu
del - Delete virtual service
cur - Display current virtual service configuration
 
Virtual Server Basic-SLB Service Configuration Options (/cfg/slb/virt/service/basic-slb) 
Command Syntax and Usage
name
 
Sets a description of up to 32 characters for the virtual service.
appshape
 
Displays the AppShape++ menu for managing AppShape++ scripts. To view this menu, see /cfg/slb/virt/service/basic-slb/appshape AppShape++ Menu.
tcpopt
 
Displays the TCP Optimization menu for adding a TCP optimization policy to the client-side and server-side flows of a virtual service. To view this menu, see /cfg/slb/virt/service/basic-slb/tcpopt TCP Optimization Menu.
connmgt enabled|disabled
 
Specifies whether to enable TCP multiplexing on a service.
Connection management increases throughput and server capacity by minimizing the number of TCP connection establishments between Alteon and back-end servers. The TCP overhead is reduced by allowing multiple clients to reuse existing server connections.
When enabled, one of the following behaviors can be achieved:
*TCP connection pooling — When a server is selected for a new client connection, Alteon reuses an idle connection from the server connection pool. If no idle connection is available, a new back-end connection is opened.
*TCP request multiplexing — When a server is selected for a new client TCP request, Alteon reuses an idle connection from the server connection pool. If no idle connection is available, a new back-end connection is opened. This is required for applications that have long-lived client connections and there is a need to load balance per transaction. To achieve this behavior, an AppShape++ script is required on this service. The script must identify a TCP transaction and signal its completion (and release of the back-end connection back to the idle connection pool) using the TCP::detach command.
Default: disabled
The connmgt command also prompts you to configure the timeout, in minutes, after which an idle back-end connection is closed.
Values: 0 – 32768
Default: 10
protocol tcp|udp|both|stateless
 
Defines the Layer 4 protocol for applications that can run on either TCP or UDP. Read-only for applications that only run on a specific Layer 4 protocol.
Available protocols vary according to the application selected.
Values:
*tcp — For load balancing a TCP service.
*udp — For load balancing a UDP service.
*both — (Available for IP applications only.) For load balancing TCP and UDP services. When this option is selected, IPsec and ICMP are included in the services to be load balanced.
*sctp  — For load balancing an SCTP service. Protocol is automatically set to SCTP and cannot be changed when the application is set to SCTP.
*stateless — No session table entry is created. Because no session is created, you have to bind to a new server every time.
Default: tcp
Note: If applying a filter to the same virtual server IP address on which UDP load balancing is enabled, disable caching on that filter for optimal performance. For more information, see the cache command in /cfg/slb/filt <filter number>/adv Filter Advanced Menu.
pip
 
Displays the Proxy IP menu. To view this menu, see /cfg/slb/virt/service/basic-slb/pip Proxy IP Menu.
ssl
 
Displays the SSL Load balancing menu. To view this menu, see /cfg/slb/ssl SSL SLB Configuration.
group <real server group ID>
 
Sets the real server group for this service.
Default: 1
rport <real server port (0, 1, 5-65534)>
 
Specifies the Layer 4 TCP or UDP port on which the real servers listen for this service.
This parameter must be specified only when all real servers listen for the service on a port that is different from the service port. For all other cases it should be left empty (0).
The real server port can alternatively be defined at real server level, allowing for different listening ports per server.
Values: 0, 1, 5 – 65534
Default: 0. Alteon uses the port defined at /cfg/slb/virt/service<virtual port>.
hname <hostname>|none
 
Sets the hostname for the virtual service.
Alteon uses this together with the domain name configured at virtual server level to create a fully qualified domain name for the virtual service.
For example, to add a host name for Web services, you could specify “www” as the host name. If “foocorp.com” is defined as the domain name, “http://www.foocorp.com” would be the full host or domain name for the virtual service.
The domain and host name are used for global server load balancing as well as for HTTP/S health checking when the health check hname command is defined as inherit.
Maximum characters: 34
cont <BWM Contract (0-1024), 0 for VIP default>
 
Specifies a bandwidth management contract for traffic to the virtual server. By default, all services under this virtual server are assigned this contract. You can also define the contract at the virtual service level with the /cfg/slb/virt <number>/service <number>/cont command.
All the frames that match this virtual server services are assigned this contract if the previously assigned contract for the frame has lower or equal precedence to the virtual server contract.
Default: 1024
Note: If you enter 0 for the service contract, it carries the value entered for the virtual server IP (vip) contract.
pbind clientip|disable
 
Specifies the parameter that defines a persistent session.
Values:
*clientip — Uses the client IP address as the session identifier, and associates all connections from the same client with the same real server until the client becomes inactive, and the persistent entry is aged out of the session table.
Different services from the same client may not map to the same server.
The real server connection timeout value (/cfg/slb/real/tmout) controls how long these inactive but persistent connections remain associated with their real servers.
When the client resumes activity after their connection has been aged out, they are connected to the most appropriate real server based on the load balancing metric.
An alternative approach may be to use the /cfg/slb/group/content/metric command to set the minmisses or hash real server group metrics.
With clientip enabled, Alteon maps HTTP and HTTPS traffic from the same client to the same server regardless of the load balancing metric used because the services are related.
For more information, see Server Load Balancing Metrics.
*disable — Disables persistence for this service.
Default: disable
thash sip|sip+sport
 
Specifies the parameters for computing the hash value used by the hash, phash, and minmisses SLB metrics.
Tunable hash lets the user select different parameters for computing the hash value used by the hash, phash, and minmisses SLB metrics. For example, the source IP address, or both source IP address and source port. If you do not select any hash parameter, Alteon uses the default sip hash parameter.
Default: sip
report service|real
 
Specifies the service reporting level.
Alteon devices can send Device Performance Monitoring (DPM) data to Cyber Controller (or APSolute Vision 4.x). Cyber Controller processes the data and can display the information in the Device Performance Monitoring Web interface.
Values:
*service — Device Performance Monitoring statistics are collected and displayed for each virtual service.
*real — Device Performance Monitoring statistics are collected and displayed for each virtual service per group per real server.
Default: service
tmout <even number of minutes (0-32768)>
 
Specifies the length of time, in minutes, that an inactive session remains in the session table.
Every client-to-server session being load balanced is recorded in the session table. When the client ends the session, the session table entry is removed.
In certain circumstances, such as when a client application is abnormally terminated by the client’s system, TCP and UDP connections remain registered in the session table. In order to prevent table overflow, these orphaned entries must be aged out of the session table.
Values:
*0 — The service uses the inactivity timeout value of the real server, which is 10 minutes by default. The inactivity timeout value is set at /cfg/slb/real/tmout.
*2 – 32768 (in even numbered increments)
Default: 0
ptmout <even number of minutes (0-32768)>
 
Specifies the time, in minutes, after which an inactive persistence entry is removed.
By default, Alteon inserts a session cookie (with no expiry parameter). The virtual service ptmout option defines the aging of the cookie value.
If the cookie expiration timer is not specified, the cookie will expire when the user’s session ends. If the cookie expiration time is greater than the virtual service ptmout value, timed-out requests will not be persistent.
Default: 0
srvdown drop|rst
 
Specifies how Alteon handles new connections when a TCP service is unavailable.
This command can be used only when dbind is disabled.
Values:
*rst — Alteon resets the client.
*drop — Alteon drops new requests for the service.
Default: dropDrop
Note: When this command is set to send rst, the VIP address remains in L2/L3 tables even if no services are available on it, to allow new requests to reach Alteon from clients.
clsaging [disable|client|server|both]
 
Specifies whether to reset a connection when a session slowages out by sending a TCP RST message.
*disable — Alteon does not reset a connection when a session slowages out.
*client — Alteon sends an RST message to the client when a session slowages out.
*server — Alteon sends an RST message to the server when a session slowages out.
*both — Alteon sends an RST message to both the client and the server when a session slowages out.
Default: disable
clfstage [disable|client|server|both]
 
Specifies whether to reset a connection when a session fastages out by sending a TCP RST message.
*disable — Alteon does not reset a connection when a session fastages out.
*client — Alteon sends an RST message to the client when a session fastages out.
*server — Alteon sends an RST message to the server when a session fastages out.
*both — Alteon sends an RST message to both the client and the server when a session fastages out.
Default: disable
dbind disable|forceproxy
 
Enables or disables full proxy mode for TCP services.
Delayed binding prevents SYN denial-of-service (DoS) attacks on the server. DoS occurs when the server or Alteon cannot service the client because they are saturated with invalid traffic.
Using delayed binding, Alteon intercepts the client SYN request before it reaches the server. Alteon responds to the client with a SYN ACK that contains embedded client information. Alteon does not allocate a session until a valid SYN ACK is received from the client or the three-way handshake is complete.
The Application Service Engine is a full TCP proxy which performs delayed binding of connections, during which it can optimize TCP behavior, intercept client requests and server responses to modify them, and so on. In some cases, the proxy behavior itself may be required even without the use of any other application service. For this purpose, you can set delayed binding to force proxy mode. In this mode, the Application Service Engine performs TCP optimizations without SYN attack protection, functions as a full TCP proxy, performs persistence for HTTP cookies to reorder TCP packets which do not arrive in the correct order, and so on.
For example, when no Layer 7 application services (such as SSL offloading, caching, compression, or HTTP modifications) are in use, and when no Layer 7 requests are coming from the client, force proxy mode forces Alteon to perform a back-end TCP handshake. If the server does not respond within a configured period, Alteon moves to the next server.
Values:
*disable — Alteon processes traffic at Layer 4 without any interference in the TCP session.
*forceproxy — Alteon processes traffic in full proxy mode using the Application Service Engine. In full proxy mode independent sessions are established to the client and to the servers. The following capabilities require full proxy mode: advanced Layer 7 content switching and modification, SSL offload, Web acceleration, AppWall and Authentication Gateway, APM, TCP optimization, and IPv6/4 gateway.
Default: disable
Important: When service uses Delayed Binding (dbind) in forceproxy mode, it is important to understand how aging is handled. You can expect the following behaviors in these scenarios, depending on whether TCP connection multiplexing (mux) is enabled or disabled.
*mux disabled — You have Alteon in forceproxy mode handling a session with two connections. In this case, Alteon terminates the client-side connection using FIN when the backend connection is closed by the server. Once a FIN-ACK response is received from the client, Alteon then deletes the session entry.
*mux enabled — When a server closes a connection, the VIP does not close the client-side connection except while in the middle of multiplexing the transaction. Using fastage, Alteon deletes frontend sessions from the session tables only in the following cases: acceleration engine (AX) deleted the session, server closed the final transaction, and client closed the session using FIN.
Note: The Application Service Engine can work in both Alteon delayed binding modes. In enabled delayed binding mode, the Application Service Engine only provides SYN attack protection. In force proxy mode, it only provides TCP optimizations.
For a list of the services that support the delayed binding forceproxy option, see Services Supporting forceproxy.
clsrst disable|enable
 
Specifies how Alteon closes client-side and server-side sessions.
Values:
*disable — When Alteon receives a FIN message from the client, Alteon performs a graceful closure of both client-side and server-side sessions.
*enable — When Alteon receives a FIN message from the client, Alteon closes the server-side session entry using RST for fastage.
Default: disable
Note: To enable session reset on connection close, full proxy mode (forceproxy) must be enabled.
frag disable|enable
 
Specifies whether to enable remapping of UDP server fragments for a virtual port.
Default: enable
nonat disable|enable
 
Specifies whether to allow the servers to respond directly to the client, without passing through Alteon. This is useful for sites where large amounts of data flow from servers to clients, such as with content providers or portal sites that typically have asymmetric traffic patterns.
Direct Server Return allows the server to respond directly to the client, without passing through Alteon. This is useful for sites where large amounts of data flow from servers to clients, such as with content providers or portal sites that typically have asymmetric traffic patterns.
When Direct Server Return is enabled, Alteon translates only the destination MAC address to the real server MAC address, and not the destination IP. On the servers you must define a loopback interface with the virtual server IP address.
Direct Server Return and content-intelligent Layer 7 load balancing cannot be performed at the same time because content-intelligent load balancing requires that all frames go back to the Alteon for connection splicing.
Default: disable
direct disable|enable
 
Specifies whether to enable or disable Direct Access Mode (DAM) on this virtual service. This takes precedence when DAM is globally enabled on Alteon.
Direct Access Mode (DAM) allows any client to communicate with any real server’s load balanced service, and any number of virtual services can be configured to load balance a real service.
DAM enables both client and server processing on the same port to handle traffic that requires direct access to real servers.
DAM is necessary for applications such as:
*Direct access to real servers for management or administration.
*One real server serving multiple virtual server IP (VIP) addresses.
*Content-intelligent load balancing, which requires traffic to go to specific real servers based on the inspection of HTTP headers, content identifiers such as URLs and cookies, and the parsing of content requests.
Default: enable
mirror disable|enable
 
Specifies whether to enable or disable session mirroring on the selected virtual service.
Session mirroring synchronizes the state of active connections with the standby Alteon to prevent service interruptions in case of failover.
Session mirroring is recommended for long-lived TCP connections, such as FTP, SSH, and Telnet connections. Session mirroring for protocols characterized by short-lived connections such as UDP and in many cases HTTP, is not necessary. Radware recommends that you use session mirroring only when you need to maintain the state of a long connection.
When implementing session mirroring, note the following:
*Session mirroring is supported in VRRP active-standby and hot-standby configurations, as well as Switch HA high availability configurations.
*Session mirroring is only supported for Layer 4 SLB sessions and static NAT filtering sessions.
*Session mirroring is supported only for the following protocols and filters:
SIP
FTP
NAT filters
Layer 4 SLB with delayed binding
*Session mirroring is not supported for the following protocols and filters:
Active-active VRRP
RTSP
Layer 7 SLB
Allow, deny, redir filters
*Session mirroring is not supported in IPv6 Server Load Balancing sessions.
*A direct interswitch link between the primary and backup Alteons is necessary to route the NAAP packets.
Default: disable
winsize0 disable|enable
 
Specifies whether to set a zero window size in SYN-ACK messages.
A zero window size prevents Alteon from accepting data.
Default: disable
sesslog disable|enable
 
Specifies whether to enable or disable session logging.
Session logs are sent to the syslog servers via the data port when the sessions are deleted or aged out. The Alteon switch processor sends the buffered session logging data to the syslog server at regular intervals (every 30 seconds) if the buffer is not completely filled. There will be no session syslog if no sessions have aged out during this duration of 30 seconds.
Note: Syslog servers configured on Alteon must be accessible via the data ports.
Notes:
Session are sent to the defined syslog host on port 514 only.
Alteon uses both source and destination port 514 to send session log messages.
Session log are sent only via the data port.
Default: disable
eaaf disabled|enabled
 
Displays the ERT Active Attackers Feed menu. To view this menu, see /cfg/slb/virt/service/basic-slb/eaaf ERT Active Attackers Feed Menu.
udpage disable|enable
 
Specifies whether to mark for fastage and quickly remove from the session table a UDP session entry when a response is received. Enabling this parameter allows processing of higher UDP loads.
This parameter should be disabled when AppShape++ script is used to perform a fastage scan on UDP sessions.
The fastage scan removes TCP and UDP sessions that have been closed with a TCP FIN flag, and sessions that have been identified by the slowage scan as idle for the maximum allowed period. If a large fastage value is defined, a session can remain in the session table for several minutes. Each incremental increase of the scan frequency doubles the length of the interval between scans.
Default: enable when the application is dns, otherwise disable.
cluster disable|enable
 
Specifies whether to configure the service as a member of the cluster, and send updates to the front-end Alteon.
The cluster feature enables you to configure a two-tier data center in GSLB environments.
Such a cluster includes:
*A front-end device (or redundant pair) that performs GSLB functionality and Layer 4 load balancing of traffic between cluster members.
*Multiple back-end devices (members) that perform the required application traffic processing.
For the front-end devices to make appropriate GSLB decisions, they need to know the availability of local servers attached to member Alteon devices.
Default: disable
applic
 
Specifies the name used to combine several services into a single application in the virtual service report.
Maximum characters: 261 (64 in Alteon version 32.6.0.0 and earlier)
adv
 
Displays the Service Advanced Menu menu. To view this menu, see /cfg/slb/virt/service/basic-slb/adv Service Advanced Menu
rtsrctun
 
Enables a front-end Alteon to reply to a request using the same tunnel through which the request was received when encapsulated traffic is received over multiple tunnels and no IP route is configured for a tunnel.
Default: disabled
del
 
Removes this virtual service from operation and deletes it from the Layer 4 switching software configuration.
Note: Use this command with caution, as it will delete the options that have been set for this virtual service.
cur
 
Displays the current configuration of services on the specified virtual server.
Services Supporting forceproxy lists the services that support the delayed binding forceproxy option.
 
Services Supporting forceproxy 
Number
TCP/UDP Applications
Number
TCP/UDP Applications
37
time
162
snmptrap
42
name
194
irc
53
domain (DNS)
443
https/ssl
80
http
520
rip
119
nntp
5060, 5061
sip
123
ntp
9201
wts
143
imap
1812
radius
144
news
1813
radius-acc