gsparams

Required Command-Line Mode = Configure

Use the gsparams command to set options for GigaSMART operations on GigaVUE H Series nodes.

This command does not apply to GigaVUE TA Series nodes.

The gsparams command has the following syntax:

gsparams gsgroup <GigaSMART group alias>

cpu utilization type total rising <20-99%>

dedup-action <count | drop>
   dedup-ip-tclass <ignore | include>
   dedup-ip-tos <ignore | include>
   dedup-tcp-seq <ignore | include>
   dedup-timer <10-500000μs>
   dedup-vlan <ignore | include>

diameter-s6a-session <limit | timeout>

diameter-packet <timeout>

diameter-whitelist <add <diameter whitelist file alias> | delete>
   eng-watchdog-timer <<60-600> | disable>
   erspan3-timestamp format <gs | none | x12-ts>
   flow-mask <disable | enable <default | offset <0-111> length <1-112>>>
   flow-sampling-device-ip-ranges
      add ip4addr <IP address> <netmask>
      delete <all | <ip-id <1-64>>
   flow-sampling-rate <5-95%>
   flow-sampling-timeout <1-60 min>
   flow-sampling-type <device-ip | device-ip-in-gtp>


   generic-session-timeout <5-600 seconds>
   gtp-control-sample <disable | enable>

  gtp-randomsample <disable | enable>

  gtp-randomsample interval <12-48 hours>

   gtp-flow timeout <1-6000 in the unit of 10 minutes>
   gtp-persistence
      disable
      enable
      file-age-timeout <10-1440>
      interval <10-1440>
      restart-age-time <10-1440>


   gtp-whitelist <add <GTP whitelist file alias> | delete>
   hsm-group
      add <HSM group alias>
      delete
   ip-frag
      forward <disable | enable>
      frag-timeout <5-180 sec>
      head-session-timeout <15-240 sec>
   lb
      failover <disable | enable>
      failover-thres lt-bw <threshold bandwidth 50-90%> | lt-pkt-rate <packet rate 500-5000kpps>
      replicate-gtp-c <disable | enable>
      use-link-spd-wt <disable | enable>
   netflow-monitor <add <monitor name> | delete>

node-role

control

disable

user
  

         resource
      buffer-asf <<2-5> | disable>
      cpu overload-threshold <<50-90> | disable>
      hsm-ssl
         buffer <<1-3> | disable>
         packet-buffer <20-3000>
      packet-buffer overload-threshold <<50-80> | disable>

inline-ssl

      standalone <enable | disable>
   rtp-port range <1~65535 | x..y>

sffp-profile <add | delete> <sffp-profile alias>
   sip-portlist <1-65535>
   sip-session timeout <30-300>
   sip-tcp-idle-timeout <20-600>
   sip-whitelist
      add <SIP whitelist file>
      delete

  sip-nat <disable | enable>
   ssl-decrypt
      decrypt-fail-action <drop | pass-tool>
      disable
      enable
      hsm-pkcs11
         dynamic-object <disable | enable>
         load-sharing <disable | enable>
      hsm-timeout <2-5000>
      key-cache-timeout <1-86400>
      key-map
         add service <service alias> key <key alias>
         delete service <<service alias> | all>
      non-ssl-traffic <drop | pass>
      pending-session-timeout <30-120>
      session-timeout <30-3600>
      tcp-syn-timeout <20-600>
      ticket-cache-timeout <1-86400>
         tunnel-health-check
      action <drop | pass>
      disable
      dstport <destination port for UDP>
      enable
      interval <5-600>
      protocol <icmp | udp>
      rcvport <receive port on decapsulation side>
      retries <1-5>
      roundtriptime <1-4>
      srcport <source port for UDP>

The following table describes the arguments for the gsparams command:

Argument

Description

gsgroup <GigaSMART group alias>

Specifies the alias for this GigaSMART group.

Specifies the TCP load balancing options as follows:

enable—Enables the application TCP load balancing.
disable—Disables the application TCP load balancing.
The default is disable.
Drop—Packets are sent to the collector if collectore is configured. Drops the packets if the collector is not configured.
Broadcast—Broadcast all the packets to all the ports configured as part of all the maps.
application—Specifies unknown application message action.
control—Specifies the TCP control message action

cpu utilization type total rising <20-99%>

Specifies GigaSMART CPU utilization options as follows:

rising—Configures the rising threshold for GigaSMART CPU
statistics. The default is 90%.

This command sets the rising threshold on the GigaSMART engine port(s), as a percentage from 20 to 99.

A CPU utilization alarm can be sent when the rising threshold is exceeded. Alarms are reported to all configured SNMP trap destinations and recorded in the log file.

For example:

(config) # gsparams gsgroup gg1 cpu utilization type total rising 95

Refer to the GigaSMART CPU Utilization Statistics” section in the GigaVUE-FM User’s Guide for details.

dedup-action <count | drop>

Specifies whether duplicate packets are to be counted or dropped by GigaSMART as follows:

count—Counts the duplicate packets, but does not drop them.
drop—Drops the duplicate packets.
The default is drop.

For example:

(config) # gsparams gsgroup gs2port1 dedup-action count

Refer to the GigaSMART De-Duplication section in the GigaVUE-FM User’s Guide for details.

dedup-timer <10-500000μs>

Configures the time interval within which an identical packet will be considered a duplicate. The greater the interval over which traffic can be checked for duplicates, the higher the accuracy of the de-duplication detection and subsequent elimination. The default is 50000µs.

For example, if two of the same packets are seen in the specified time interval, the packets will be detected as duplicates. If one packet is seen in the time interval and another packet is seen in a later time interval, the packets will not be detected as duplicates.

Retransmissions are not counted as duplicates.

For example:

(config) # gsparams gsgroup gs2port1 dedup-timer 55000

Refer to the “GigaSMART De-Duplication” section in the GigaVUE-FM User’s Guide.

dedup-ip-tclass <ignore | include>
dedup-ip-tos <ignore | include>
dedup-tcp-seq <ignore | include>
dedup-vlan <ignore | include>

Fine-tunes how duplicates are detected. You can configure the packet fields that are used to detect duplicates.

Different network implementations can change certain packet header fields (for example, the TCP sequence number). If you want to be able to detect duplicates without requiring that these fields match (ToS field, TCP sequence number, VLAN ID), you can disable the corresponding option. The options are as follows:

dedup-ip-tclass—Ignores or includes IPv6 traffic class. Use for IPv6. The default is include.
dedup-ip-tos—Ignores or includes the IP ToS bits when detecting duplicates. Use for IPv4. The default is include.
dedup-tcp-seq—Ignores or includes the TCP Sequence number when detecting duplicates. The default is include.
dedup-vlan—Ignores or includes the VLAN ID when detecting duplicates. The default is ignore.

Include means the field will be included when GigaSMART compares packets.

Ignore means the field will be ignored when GigaSMART compares packets.

For example:

(config) # gsparams gsgroup gs2port1 dedup-tcp-seq ignore

Refer to the GigaSMART De-Duplication” section in the GigaVUE-FM User’s Guide for details.

diameter-s6a-session <limit | timeout>

Specifies the Diameter S6a session options as follows:

limit—Number of Session to allocate for Diameter S6a.
timeout—Diameter S6A session inactivity timer in seconds.

diameter-packet <timeout>

Specifies the Diameter S6a packet options as follows:

timeout—Diameter S6A packet inactivity timer in seconds

diameter-whitelist <add <diameter whitelist file alias | delete>

Specifies the alias of the diameter whitelist file to associate with a GigaSMART group (add) or to disassociate from a GigaSMART group (delete).

For example:

(config) # gsparams gsgroup gg1 diameter-whitelist add wlf1

(config) # gsparams gsgroup gg1 diameter-whitelist delete

eng-watchdog-timer <<60-600> | disable>

Specifies the engine watchdog timer. In rare scenarios, a packet processing core in the CPU of a GigaSMART engine can enter a deadlocked state. The engine watchdog timer detects the issue and reloads the GigaSMART engine after a specified number of seconds.

If a core is in a deadlocked state, all packets are dropped.

This parameter specifies the engine watchdog timer as follows:

60-600—Enables the engine watchdog timer and specifies the number of seconds to wait before restarting the GigaSMART engine.
disable—Disables the engine watchdog timer.
The default is enabled. The default value for the timer is 60 seconds.

For example, to change the engine watchdog timer from the default, specify a value within the range of values:

(config) # gsparams gsgroup gsg1 eng-watchdog-timer 100

For example, to disable the engine watchdog timer:

(config) # gsparams gsgroup gsg1 eng-watchdog-timer disable

erspan3-timestamp format <gs | none | x12-ts>

Specifies the ERSPAN Type III timestamp trailer format for tunnel decapsulation as follows:

gs—Specifies GigaSMART timestamp trailer format.
none—Specifies no timestamp trailer.
x12-ts—Specifies PRT-H00-X12TS timestamp trailer format.
The default is none.

For example:

(config) # gsparams gsgroup gsg_erspan erspan3-timestamp format gs

Refer to the GigaSMART ERSPAN Tunnel Decapsulation” section in the GigaVUE-FM User’s Guide.

flow-mask <disable | enable <default | offset <0-111> length <1-112>>>

Specifies parameters for flow masking to improve GigaSMART packet processing for traffic containing MPLS, L2GRE, or VNTag headers as follows:

disable—Disables flow masking.
enable—Enables flow masking as follows:
default—Specifies a default offset of 14 bytes and a default length of 28 bytes.
offset—Specifies the number of bytes from the beginning of the packet to the start of the mask within the packet. The values range from 0 to 111.
length—Specifies the number of bytes, following the offset, to mask within the packet. The length identifies a traffic flow. The values range from 1 to 112.
The default is disable.

Masking bytes are limited to 112 bytes from the beginning of the packet. The offset plus length cannot be greater than 112.

Examples:

(config) # gsparams gsgroup gg1 flow-mask enable default
(config) # gsparams gsgroup gg1 flow-mask enable offset 38 length 8
(config) # gsparams gsgroup gg1 flow-mask disable

Refer to the GigaSMART MPLS Traffic Performance Enhancement” section in the GigaVUE-FM User’s Guide for details.

flow-sampling-device-ip-ranges
   add ip4addr <IP address> <netmask> |
   delete <all | <ip-id <1-64>>
flow-sampling-rate <5-95%>
flow-sampling-timeout <1-60 min>
flow-sampling-type <device-ip |
   device-ip-in-gtp>

Specifies FlowVUE sampling parameters as follows:

flow-sampling-device-ip-ranges—Specifies the range of IP addresses that identify a valid device.
flow-sampling-rate—Specifies how much GTP traffic from subscribers in the specified IP ranges is sampled. The values range from 5 to 95%.
flow-sampling-timeout—Specifies after how much time a flow/device in a sampled IP range is declared idle and is no longer sampled. The values range from 1 to 60 minutes.
flow-sampling-type—Specifies whether inner or outer IP addresses are used for FlowVUE sampling as follows:
device-ip—Specifies a sample subset of devices based on IP address.
device-ip-in-gtp—Specifies a sample subset of devices based on inner IP address in the GTP-u tunnel.

For example:

(config) # gsparams gsgroup gsg1 flow-sampling-type device-ip-in-gtp

Use gsparams to configure these values and show gsparams command to verify these parameters. Refer to the GigaSMART FlowVUE section in the GigaVUE-FM User’s Guide for details and examples on FlowVUE.

generic-session-timeout <5-600 seconds>

Specifies the maximum timeout for a session entry in the session table. This is a global session timeout for the specified GigaSMART group.

The values are from 5 to 600 seconds. The default is 5 seconds.

For example:

(config) # gsparams gsgroup gsg1 generic-session-timeout 30

Currently, this timeout only applies to tunnel load balancing for L2GRE tunnel encapsulation. Refer to the “Load Balancing across Tunnel Endpoints” section in the GigaVUE-FM User’s Guide.

gtp-control-sample <disable | enable>

Enables or disables sampling of GTP control plane (GTP-c) traffic as follows:

enable—Specifies that GTP-c packets will be sampled. Only the indicated percentage of the control traffic that matches any of the flow sampling rules will be sent to the tool ports specified in the flow sampling maps.
disable—Specifies that GTP-c packets will not be sampled. 100% of the control traffic that matches any of the flow sampling rules will be sent to the tool ports specified in the flow sampling maps. Control traffic for both accepted and rejected sessions will be sent.
The default is enable.

For example:

(config) # gsparams gsgroup gg1 gtp-control-sample disable

Refer to the “GTP Flow Sampling” section in the GigaVUE-FM User’s Guide.

gtp-randomsample <disable | enable>

Enables or disables sampling of GTP random sample as follows:

enable—Specifies that GTP will be random sampled.
disable—Specifies that GTP will not be random sampled.
The default is disable.

gtp-randomsample interval <12-48 hours>

Specifies the rotation interval for random sampling. The minimum value is 12 hours and the maximum value of the interval is 48 hours.

gtp-flow timeout <1-6000 in the unit of 10
   minutes>

Disconnects a GTP session if it has been inactive for the timeout value. The timeout can be configured as an integer from 1 to 6000, in increments of 10 minutes. The default is 48, which is 480 minutes, which is 8 hours.

For example:

(config) # gsparams gsgroup gg1 gtp-flow timeout 60

gtp-persistence
   disable
   enable
   file-age-timeout <10-1440>
   interval <10-1440>
   restart-age-time <10-1440>

Specifies GTP persistence options for recovering sessions from a restart as follows:

disable—Disables GTP persistence.
enable—Enables GTP persistence. The default is disable.
file-age-timeout—Specifies the time the backup file is considered to be valid, in minutes. After this timeout expires, the backup file is considered to be stale. The default is 30 minutes.
interval—Specifies the time interval between backups, in minutes. The default is 10 minutes.
restart-age-timeout—Specifies the time interval following a reboot for aging out sessions, in minutes. This is a shorter interval than that specified using the gtp-flow timeout. The gtp-flow timeout disconnects a GTP session if it has been inactive for the timeout value, which has a default of 8 hours. The restart-age-timeout default is 30 minutes.

Examples:

(config) # gsparams gsgroup gsg4 gtp-persistence enable
(config) # gsparams gsgroup gsg4 gtp-persistence inteval 15

gtp-whitelist <add <GTP whitelist file alias> |
   delete>

Specifies the alias of the GTP whitelist file to associate with a GigaSMART group (add) or to disassociate from a GigaSMART group (delete).

For example:

(config) # gsparams gsgroup gg1 gtp-whitelist add wlf1
(config) # gsparams gsgroup gg1 gtp-whitelist delete

hsm-group

   add <HSM group alias>

   delete

Configures an SSL Hardware Security Module (HSM) group as follows:

add—Adds an HSM group to a GigaSMART group.
delete—Deletes an HSM group from a GigaSMART group. Only one HSM group can be configured.

Examples:

(config) # gsparams gsgroup gg1 hsm-group add hsm-set
(config) # gsparams gsgroup gg1 hsm-group delete

ip-frag
   forward <disable | enable>
   frag-timeout <5-180 sec>
   head-session-timeout <15-240 sec>

Specifies IP fragmentation options as follows:

forward—Enables or disables IP fragmentation forwarding.
frag-timeout—Defines how long non-head fragment packets will stay in the system, from 5 to 180 seconds.
Sometimes non-head fragment packets arrive before their head fragment packet. GigaSMART will keep the packets and wait for their head fragment packet to arrive. If the head fragment packet does not arrive within this timeout value, the fragmented packets will be dropped.
head-session-timeout—Defines how long the session entry stays in the system, from 15 to 240 seconds.

A session entry is created when a new head fragment packet is received. When subsequent fragment packets arrive, the information in this session will be used to forward the fragmented packets to the same destination as the head fragment packet.

For example:

(config) # gsparams gsgroup gsg1 ip-frag frag-timeout 30

lb
   failover <disable | enable>
   failover-thres lt-bw <threshold bandwidth
      50-90%> | lt-pkt-rate <packet rate
      500-5000kpps>
   replicate-gtp-c <disable | enable>
   use-link-spd-wt <disable | enable>

Specifies load balancing options as follows:

failover—Enables or disables failover when tool ports are down or thresholds to other tool ports in the load balancing port group are exceeded. The default is disabled. A GigaSMART application failover will occur no more than once in 30 seconds.

When the load balance metric is hashing, traffic continues to be sent to the hashed tool port until the port goes down. When a tool port goes down, traffic is rehashed to another tool port in the port group. No rehashing is done to the existing session flow when a port comes up, even if it was previously a down port.
failover-thresh lt-bw—Specifies failover threshold for Least Bandwidth (lt-bw) and Least Packet Rate (lt-bw-rate) load balancing metrics as follows:
For lt-bw, the failover threshold is the percentage of the maximum bandwidth of a tool port. For example, for a 1Gb port, a failover threshold of 90% means that failover to another tool port occurs when the bandwidth reaches 900Mbps. The range is from 50% to 90%. The default is 80%.
For lt-pkt-rate, a tool port will failover to another tool port when the packet rate is over the specified threshold, in packets per second. The range is from 500k packets per second (pps) to 5000k (5M). The default is 1M.
replicate-gtp-c—Enables or disables replicate GTP control packets (GTP-c). The default is disabled.
use-link-spd-wt—Enables or disables weight based on link speed for Weighted Round Robin (wt-round-robin), Weighted Least Bandwidth (wt-lt-bw), Weighted Least Packet Rate (wt-lt-pkt-rate), Weighted Least Connection (wt-lt-conn), and Weighted Least Cumulative Traffic (wt-lt-tt-traffic) load balancing metrics. The default is disabled. When enabled, this parameter ignores the weight configured in the port group.

For example, if a port group consists of four tool ports, and one of them is 100Gb and the others are 10Gb, the 100Gb link will be selected about 10 times more than the 10Gb links.

For example:

(config) # gsparams gsgroup gsgrp1 lb replicate-gtp-c enable

netflow-monitor <add <monitor name> |
   delete>

Specifies NetFlow monitor options as follows:

add—Specifies a NetFlow monitor to add by name.
delete—Deletes a NetFlow monitor.

For example:

(config) # gsparams gsgroup gsg netflow-monitor add mon1
(config) # gsparams gsgroup gsg netflow-monitor delete

node-role

Specifies the role of Control and User Plane Separation (CUPS) node as follows:

control—Specifies a CUPS control node.

disable—Specifies a Non-CUPS node

. User—Specifies a CUPS user node.

For example:

(config) # gsparams gsgroup <alias> node-role control

resource buffer-asf <<2-5> | disable>

Allocates application resources for buffering on Application Session Filtering (ASF). This parameter allocates the number of session entries, in millions, as follows:

2-5—Allocates from 2 to 5 million session entries for buffer ASF.
disable—Removes any configured application resources for buffer ASF.
The default is disable.

The configured application resources will only be available after the GigaSMART line card or module is rebooted. Refer to the “Displaying GigaSMART Application Resource Usage” section in the GigaVUE-FM User’s Guide.

The resources for buffer ASF on the GigaVUE-HB1 can only be configured to 2 million sessions.

Examples:

(config) # gsparams gsgroup gsgrp1 resource buffer-asf 3
(config) # gsparams gsgroup gsgrp1 resource buffer-asf disable

Configure the resources for buffer ASF before configuring apps asf parameters. Refer to apps asf.

resource cpu overload-threshold <<50-90> | disable>

Specifies an overload threshold for CPU resources for GigaSMART operations as follows:

overload-threshold—Species an overload threshold from 50 to 90 percent. Use the overload threshold for overload bypass for inline SSL decryption.
disable—Disables the overload threshold.

The default is 90.

Examples:

(config) # gsparams gsgroup gsg1 resource cpu overload-threshold 70
(config) # gsparams gsgroup gsg1 resource cpu overload-threshold disable

resource packet-buffer overload-threshold <<50-80> | disable>

Specifies an overload threshold for packet buffer resources for GigaSMART operations as follows:

overload-threshold—Species an overload threshold from 50 to 80 percent. Use the overload threshold for overload bypass for inline SSL decryption.
disable—Disables the overload threshold.
The default is 80.

Examples:

(config) # gsparams gsgroup gsg1 resource packet-buffer overload-threshold 60
(config) # gsparams gsgroup gsg1 resource packet-buffer overload-threshold disable

inline-ssl

standalone <disable | enable>

Configures the inline SSL to share resources with other GigaSMART operations as follows:

disable—Disables the standalone mode, the GigaSMART engine resource allocated for Inline SSL feature is reduced to 50% and the residual GigaSMART engine resource can be configured for other GigaSMART applications.
enable—Enables the standalone mode, and configures the GigaSMART resources only for the Inline SSL feature. By default the standalone mode is enabled for the Inline SSL feature.

Examples:

(config) # gsparams gsgroup gsg1 inline-ssl standalone disable
(config) # gsparams gsgroup gsg1 inline-ssl standalone enable

The following notification is displayed when the configuration is changed after resource allocation.
#Changes take effect after card or system reboot

resource hsm-ssl buffer <<1-3> | disable>

Configures resources for the HSM SSL buffer as follows:

1-3—Adds resources for the HSM SSL buffer, from 1 to 3MB, per GigaSMART.
disable—Disables the buffer memory resources for the HSM SSL buffer.
The default is disable.

Examples:

(config) # gsparams gsgroup gsg1 resource hsm-ssl buffer 2
(config) # gsparams gsgroup gsg1 resource hsm-ssl buffer disable

resource hsm-ssl packet-buffer <20-3000>

Configures resources for the HSM SSL packet buffer as follows:

20-3000—Adds resources for the HSM SSL packet buffer, from 20 to 3000, per connection.
The default is 1000.

Packets are buffered while waiting for the session key.

For example:

(config) # gsparams gsgroup gsg1 resource hsm-ssl packet-buffer 600

rtp-port range <1~65535 | x..y>

Specifies the RTP port or ports for SIP/RTP. You must specify a port or a range of ports, from 1 to 65535.

Examples:

(config) # gsparams gsgroup gsg1 rtp-port range 2000
(config) # gsparams gsgroup gsg1 rtp-port range 20000..40000

sffp-profile <add | delete> <sffp-profile-alias>

Add or Delete Transport Agent Profile. To configure the sffp profile, refer to sffp profile.

sip-nat <disable | enable>

Configures SIP-NAT feature as follows:

disable—Disables the SIP-NAT feature.
enable—Enables the SIP-NAT feature.

sip-portlist <1-65535>

 

Specifies the SIP port list for SIP/RTP. You must specify one or more TCP/UDP ports, from 1 to 65535. Use a comma to separate multiple ports.

Examples:

(config) # gsparams gsgroup gsg1 sip-portlist 5060
(config) # gsparams gsgroup gsg1 sip-portlist 5060,5070,5090

sip-session timeout <30-300>

Specifies the SIP session timer for SIP/RTP. This is a SIP session inactivity timer, used to clean up inactive sessions. The range of values is from 30 to 300 seconds. The default is 30 seconds.

For example:

(config) # gsparams gsgroup gsg1 sip-session timeout 48

sip-tcp-idle-timeout <20-600>

Specifies the SIP TCP idle timer for SIP/RTP. The range of values is from 20 to 600 seconds. The default is 20 seconds.

For example:

(config) # gsparams gsgroup gsg1 sip-tcp-idle-timeout 30

sip-whitelist
   add <SIP whitelist file>
   delete

Adds or deletes a SIP whitelist file for SIP/RTP as follows:

add—Adds a SIP whitelist. Specify the alias of the SIP whitelist file containing IMSIs.
delete—Delete the SIP whitelist.

Examples:

(config) # gsparams gsgroup gsg1 sip-whitelist add whitelist1
(config) # gsparams gsgroup gsg1 sip-whitelist delete

ssl-decrypt
   decrypt-fail-action <drop | pass-tool>

Specifies out-of-band SSL decryption failover options as follows:

drop—Drops all traffic for the session if decryption fails.
pass-tool—Passes traffic to a tool port as encrypted packets if decryption fails.
The default is drop.

An out-of-band SSL decryption failure occurs when encrypted traffic cannot be decrypted, for example, when an incoming flow exceeds the maximum supported bandwidth.

For example:

(config) # gsparams gsgroup grp ssl-decrypt decrypt-fail-action pass-tool

ssl-decrypt
   disable
   enable

Specifies Secure Sockets Layer (SSL) decryption options as follows:

disable—Disables out-of-band SSL decryption on whole GigaSMART group.
enable—Enables out-of-band SSL decryption on whole GigaSMART group.
The default is disable.

Disable can be used as debugging aid for traffic to bypass the out-of-band SSL decryption application.

For example:

(config) # gsparams gsgroup grp ssl-decrypt enable

hsm-pkcs11 dynamic-object <disable | enable>

Enables or disables the dynamic object for the HSM PKCS12 file as follows:

disable—Disables the HSM PKCS12 dynamic object parameter.
enable—Enables the HSM PKCS12 dynamic object parameter.
The default is enable.

For example:

(config) # gsparams gsgroup grp ssl-decrypt hsm-pkcs11 dynamic-object disable

hsm-pkcs11 load-sharing <disable | enable>

Enables or disables load sharing for the HSM PKCS12 file as follows:

disable—Disables the HSM PKCS12 load sharing parameter.
enable—Enables the HSM PKCS12 load sharing parameter.
The default is enable.

For example:

(config) # gsparams gsgroup grp ssl-decrypt hsm-pkcs11 load-sharing disable

hsm-timeout <2-5000>

Configures the HSM timeout in milliseconds. The HSM timeout specifies a period of time for the communication between the HSM and GigaSMART.

The values are from 2 to 5000ms. The default is 1000ms.

For example:

(config) # gsparams gsgroup grp ssl-decrypt hsm-timeout 3600

ssl-decrypt
   key-cache-timeout <1-86400>
   ticket-cache-timeout <1-86400>

Configures the following timeouts used when resuming an out-of-band SSL decryption session:

key-cache-timeout—Configures a timeout for SSL session ID cache, from 1 to 86400 seconds. Applies to SSL 3.0 and TLS 1.x.
ticket-cache-timeout—Configures a timeout for TLS ticket cache, from 1 to 86400 seconds. Applies to only TLS 1.x.
The default for each timeout is 10800 seconds.

For example:

(config) # gsparams gsgroup grp ssl-decrypt key-cache-timeout 3600

These timeouts relate to how the SSL server stores the SSL key material and later, how the client resumes a session using the stored key material. The timeouts refer to the two different ways the session can be resumed: using a session key cache or using a TLS ticket cache.

ssl-decrypt
   key-map
      add service <service alias> key <key alias>
      delete service <<service alias> | all>

Specifies out-of-band SSL decryption and HSM key mappings as follows:

add—Adds an SSL decryption or HSM key/service mapping that maps how a key is assigned to a service, which is an IP address of a server. One service can only be mapped to one key on a GigaSMART group.
delete—Deletes an SSL decryption or HSM key/service mapping or all key/service mappings.

Examples:

(config) # gsparams gsgroup grp ssl-decrypt key-map add service service1 key key1
(config) # gsparams gsgroup grp ssl-decrypt key-map delete service service1

The maximum number of key/service mappings is 2000 on GigaVUE-HC2 and GigaVUE HD Series. The maximum number of key/service mappings is 1000 on GigaVUE-HB1.

First create an SSL key alias, then a service alias, and then use key-map to tie them together. Refer to apps ssl for the commands to create keys, and services, including the default service.

A service can be mapped to different keys on different GigaSMART groups.

ssl-decrypt
   non-ssl-traffic <drop | pass>

Specifies how to handle non-SSL traffic as follows:

drop—Drops all non-SSL packets.
pass—Passes all non-SSL packets.
The default is drop.

Use this parameter when out-of-band SSL decryption sessions have both SSL and non-SSL packets after the SSL 3-way handshake.

For sessions that have SSL and non-SSL traffic, for example SMTP with StartTLS, this parameter provides an option to pass the non-SSL traffic in addition to the decrypted traffic.

For example:

(config) # gsparams gsgroup grp ssl-decrypt non-ssl-traffic drop

ssl-decrypt
   pending-session-timeout <30-120>
   session-timeout <30-3600>
   tcp-syn-timeout <20-600>

Specifies out-of-band SSL decryption timeout options as follows:

pending-session-timeout—Configures a pending session timeout, from 30 to 120 seconds, for when SSL handshake is not completed. The default is 60.
session-timeout—Configures a session timeout, from 30 to 3600 seconds, for when the SSL session is established but no packets are received for the session. The default is 300.
tcp-syn-timeout—Configures a TCP sync timeout, from 20 to 600 seconds, for when TCP handshake is not completed. The default is 20.

For example:

(config) # gsparams gsgroup grp ssl-decrypt session-timeout 90

tunnel-health-check
   action <drop | pass>
   disable
   dstport <destination port for UDP>
   enable
   interval <5-600>
   protocol <icmp | udp>
   rcvport <receive port on decapsulation side>
   retries <1-5>
   roundtriptime <1-4>
   srcport <source port for UDP>

Specifies tunnel health check parameters as follows:

action—Specifies the tunnel health check action. The values are drop or pass to either drop packets or pass packets if the destination is down. The default is pass.
disable—Disables the tunnel health check. The default is disabled.
dstport—Specifies the tunnel health check UDP destination port. The range is from 1 to 65535. The default is 54321. The dstport and rcvport must have the same value.
enable—Enables the tunnel health check. The default is disabled.
interval—Specifies the tunnel health check interval, which is the frequency of the health check. The range is from 5 to 600 seconds (10 minutes). The default is 600 seconds.
protocol—Specifies the tunnel health check protocol. The values are ICMP or UDP. The default is ICMP. The protocols are as follows:
ICMP—Health check uses ICMP Echo Request/Reply packets (like ping)
UDP—Health check uses UDP packets.
rcvport—Specifies the tunnel health check UDP receive port on the decapsulation side. Specify a port that is not in use. The range is from 1 to 65535. The default is 54321. The rcvport and dstport must have the same value.
retries—Specifies the tunnel health check number of retries before declaring the destination down. The range is from 1 to 5. The default is 5.
roundtriptime—Specifies the expected maximum round trip time. The range is from 1 to 4 seconds. The default is 1 second.
srcport—Specifies the tunnel health check UDP source port. The range is from 1 to 65535. The default is 54321.

For example, use the following commands to configure tunnel health check on the encapsulation device:

(config) # gsparams gsgroup grp1 tunnel-health-check enable
(config) # gsparams gsgroup grp1 tunnel-health-check protocol icmp
(config) # gsparams gsgroup grp1 tunnel-health-check interval 300
(config) # gsparams gsgroup grp1 tunnel-health-check retries 3
(config) # gsparams gsgroup grp1 tunnel-health-check action pass
(config) # gsparams gsgroup grp1 tunnel-health-check srcport 45500
(config) # gsparams gsgroup grp1 tunnel-health-check dstport 48000
(config) # gsparams gsgroup grp1 tunnel-health-check roundtriptime 2

For example, when the decapsulation device is a GigaVUE node, use the following commands to configure tunnel health check:

(config) # gsparams gsgroup grp1 tunnel-health-check enable
(config) # gsparams gsgroup grp1 tunnel-health-check rcvport 48000

Related Commands

The following table summarizes other commands related to the gsparams command:

Task

Command

Displays GigaSMART parameters on all GigaSMART groups.

show gsparams

Displays GigaSMART parameters on a specified GigaSMART group.

show gsparams alias gsg1

Displays GigaSMART parameters on all GigaSMART groups.

show gsparams all